Hub
by Jetbrains
CVEs (36)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-32229 | Med | 0.44 | 6.8 | 0.00 | Mar 11, 2026 | In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled | ||
| CVE-2026-50242 | 0.00 | — | 0.00 | Jun 19, 2026 | In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 authentication bypass via direct database access leading to administrative access was possible | |||
| CVE-2026-56142 | 0.00 | — | 0.00 | Jun 19, 2026 | In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authentication details to accounts was possible | |||
| CVE-2026-56141 | 0.00 | — | 0.00 | Jun 19, 2026 | In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 account takeover via predictable restore codes was possible | |||
| CVE-2026-25848 | 0.00 | — | 0.00 | Feb 9, 2026 | In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible | |||
| CVE-2025-64683 | 0.00 | — | 0.00 | Nov 10, 2025 | In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API | |||
| CVE-2025-64682 | 0.00 | — | 0.00 | Nov 10, 2025 | In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit | |||
| CVE-2025-64681 | 0.00 | — | 0.00 | Nov 10, 2025 | In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations | |||
| CVE-2025-24456 | 0.00 | — | 0.00 | Jan 21, 2025 | In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping | |||
| CVE-2024-50573 | 0.00 | — | 0.00 | Oct 28, 2024 | In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services | |||
| CVE-2024-38507 | 0.00 | — | 0.00 | Jun 18, 2024 | In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible | |||
| CVE-2022-48477 | 0.00 | — | 0.00 | Apr 24, 2023 | In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing | |||
| CVE-2022-48429 | 0.00 | — | 0.01 | Mar 27, 2023 | In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 reflected XSS in dashboards was possible | |||
| CVE-2022-45471 | 0.00 | — | 0.01 | Nov 18, 2022 | In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address | |||
| CVE-2022-34894 | 0.00 | — | 0.01 | Jul 1, 2022 | In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services | |||
| CVE-2022-29811 | 0.00 | — | 0.00 | Apr 28, 2022 | In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible. | |||
| CVE-2022-25259 | 0.00 | — | 0.01 | Feb 25, 2022 | JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS. | |||
| CVE-2022-25260 | 0.00 | — | 0.02 | Feb 25, 2022 | JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF). | |||
| CVE-2022-25262 | 0.00 | — | 0.01 | Feb 25, 2022 | In JetBrains Hub before 2022.1.14434, SAML request takeover was possible. | |||
| CVE-2022-24328 | 0.00 | — | 0.01 | Feb 25, 2022 | In JetBrains Hub before 2021.1.13956, an unprivileged user could perform DoS. |
- risk 0.44cvss 6.8epss 0.00
In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled
- CVE-2026-50242Jun 19, 2026risk 0.00cvss —epss 0.00
In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 authentication bypass via direct database access leading to administrative access was possible
- CVE-2026-56142Jun 19, 2026risk 0.00cvss —epss 0.00
In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authentication details to accounts was possible
- CVE-2026-56141Jun 19, 2026risk 0.00cvss —epss 0.00
In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 account takeover via predictable restore codes was possible
- CVE-2026-25848Feb 9, 2026risk 0.00cvss —epss 0.00
In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible
- CVE-2025-64683Nov 10, 2025risk 0.00cvss —epss 0.00
In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API
- CVE-2025-64682Nov 10, 2025risk 0.00cvss —epss 0.00
In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit
- CVE-2025-64681Nov 10, 2025risk 0.00cvss —epss 0.00
In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations
- CVE-2025-24456Jan 21, 2025risk 0.00cvss —epss 0.00
In JetBrains Hub before 2024.3.55417 privilege escalation was possible via LDAP authentication mapping
- CVE-2024-50573Oct 28, 2024risk 0.00cvss —epss 0.00
In JetBrains Hub before 2024.3.47707 improper access control allowed users to generate permanent tokens for unauthorized services
- CVE-2024-38507Jun 18, 2024risk 0.00cvss —epss 0.00
In JetBrains Hub before 2024.2.34646 stored XSS via project description was possible
- CVE-2022-48477Apr 24, 2023risk 0.00cvss —epss 0.00
In JetBrains Hub before 2023.1.15725 SSRF protection in Auth Module integration was missing
- CVE-2022-48429Mar 27, 2023risk 0.00cvss —epss 0.01
In JetBrains Hub before 2022.3.15573, 2022.2.15572, 2022.1.15583 reflected XSS in dashboards was possible
- CVE-2022-45471Nov 18, 2022risk 0.00cvss —epss 0.01
In JetBrains Hub before 2022.3.15181 Throttling was missed when sending emails to a particular email address
- CVE-2022-34894Jul 1, 2022risk 0.00cvss —epss 0.01
In JetBrains Hub before 2022.2.14799, insufficient access control allowed the hijacking of untrusted services
- CVE-2022-29811Apr 28, 2022risk 0.00cvss —epss 0.00
In JetBrains Hub before 2022.1.14638 stored XSS via project icon was possible.
- CVE-2022-25259Feb 25, 2022risk 0.00cvss —epss 0.01
JetBrains Hub before 2021.1.14276 was vulnerable to reflected XSS.
- CVE-2022-25260Feb 25, 2022risk 0.00cvss —epss 0.02
JetBrains Hub before 2021.1.14276 was vulnerable to blind Server-Side Request Forgery (SSRF).
- CVE-2022-25262Feb 25, 2022risk 0.00cvss —epss 0.01
In JetBrains Hub before 2022.1.14434, SAML request takeover was possible.
- CVE-2022-24328Feb 25, 2022risk 0.00cvss —epss 0.01
In JetBrains Hub before 2021.1.13956, an unprivileged user could perform DoS.
Page 1 of 2