Vendor CVEs
Jetbrains
All CVEs
564 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-27199 | Hig | 0.73 | 7.3 | 1.00 | KEV | Mar 4, 2024 | In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible | |
| CVE-2026-49368 | Hig | 0.57 | 8.7 | 0.00 | May 29, 2026 | In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible | ||
| CVE-2026-44413 | Hig | 0.53 | 8.2 | 0.00 | May 11, 2026 | In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users could expose server API to unauthorised access | ||
| CVE-2026-49367 | Hig | 0.52 | 8.0 | 0.00 | May 29, 2026 | In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account | ||
| CVE-2026-49366 | Hig | 0.51 | 7.8 | 0.00 | May 29, 2026 | In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion | ||
| CVE-2018-14878 | Hig | 0.51 | 7.8 | 0.02 | Aug 13, 2018 | JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because of Deserialization of Untrusted Data. | ||
| CVE-2026-49374 | Hig | 0.49 | 7.6 | 0.00 | May 29, 2026 | In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters | ||
| CVE-2026-49372 | Hig | 0.49 | 7.5 | 0.00 | May 29, 2026 | In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible | ||
| CVE-2017-8316 | Hig | 0.49 | 7.5 | 0.02 | Aug 3, 2018 | IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml. | ||
| CVE-2026-41882 | Hig | 0.48 | 7.4 | 0.00 | Apr 30, 2026 | In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server | ||
| CVE-2026-33392 | Hig | 0.47 | 7.2 | 0.00 | Apr 17, 2026 | In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass | ||
| CVE-2026-49373 | Hig | 0.46 | 7.1 | 0.00 | May 29, 2026 | In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings | ||
| CVE-2026-49371 | Hig | 0.46 | 7.1 | 0.00 | May 29, 2026 | In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible | ||
| CVE-2026-32229 | Med | 0.44 | 6.8 | 0.00 | Mar 11, 2026 | In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled | ||
| CVE-2026-49386 | Med | 0.42 | 6.5 | 0.00 | May 29, 2026 | In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas | ||
| CVE-2026-49385 | Med | 0.42 | 6.5 | 0.00 | May 29, 2026 | In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts | ||
| CVE-2026-49379 | Med | 0.42 | 6.5 | 0.00 | May 29, 2026 | In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names | ||
| CVE-2026-49376 | Med | 0.42 | 6.5 | 0.00 | May 29, 2026 | In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin | ||
| CVE-2026-32745 | Med | 0.41 | 6.3 | 0.00 | Mar 13, 2026 | In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings | ||
| CVE-2026-49384 | Med | 0.40 | 6.1 | 0.00 | May 29, 2026 | In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible | ||
| CVE-2026-49375 | Med | 0.40 | 6.1 | 0.00 | May 29, 2026 | In JetBrains TeamCity before 2026.1, 2025.11.5 reflected XSS was possible on the repository download page | ||
| CVE-2026-41153 | Med | 0.38 | 5.8 | 0.00 | Apr 17, 2026 | In JetBrains Junie before 252.549.29 command execution was possible via malicious project file | ||
| CVE-2026-49382 | Med | 0.29 | 4.5 | 0.00 | May 29, 2026 | In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin | ||
| CVE-2026-49378 | Med | 0.28 | 4.3 | 0.00 | May 29, 2026 | In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion | ||
| CVE-2026-49377 | Med | 0.28 | 4.3 | 0.01 | May 29, 2026 | In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters | ||
| CVE-2026-49369 | Med | 0.28 | 4.3 | 0.00 | May 29, 2026 | In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages | ||
| CVE-2024-27198 | 0.28 | — | 1.00 | KEV | Mar 4, 2024 | In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible | ||
| CVE-2023-42793 | 0.28 | — | 1.00 | KEV | Sep 19, 2023 | In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible | ||
| CVE-2026-49381 | Low | 0.22 | 3.4 | 0.00 | May 29, 2026 | In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible | ||
| CVE-2026-49370 | Low | 0.22 | 3.4 | 0.00 | May 29, 2026 | In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests | ||
| CVE-2026-49383 | Low | 0.21 | 3.3 | 0.00 | May 29, 2026 | In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible | ||
| CVE-2026-49380 | Low | 0.20 | 3.1 | 0.00 | May 29, 2026 | In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible | ||
| CVE-2024-23917 | 0.06 | — | 0.54 | Feb 6, 2024 | In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible | |||
| CVE-2024-43810 | 0.04 | — | 0.00 | Aug 16, 2024 | In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin | |||
| CVE-2024-41825 | 0.04 | — | 0.00 | Jul 22, 2024 | In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab | |||
| CVE-2024-36374 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2024.03.2 stored XSS via build step settings was possible | |||
| CVE-2024-36373 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2024.03.2 several stored XSS in untrusted builds settings were possible | |||
| CVE-2024-36371 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible | |||
| CVE-2024-36370 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible | |||
| CVE-2024-36369 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible | |||
| CVE-2024-36366 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations | |||
| CVE-2024-36363 | 0.04 | — | 0.00 | May 29, 2024 | In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible | |||
| CVE-2025-31140 | 0.03 | — | 0.27 | Mar 27, 2025 | In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page | |||
| CVE-2024-56355 | 0.03 | — | 0.01 | Dec 20, 2024 | In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS | |||
| CVE-2024-56352 | 0.03 | — | 0.01 | Dec 20, 2024 | In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page | |||
| CVE-2024-43807 | 0.03 | — | 0.00 | Aug 16, 2024 | In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page | |||
| CVE-2019-15039 | 0.03 | — | 0.13 | Oct 1, 2019 | An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possible remote code execution issue. This was fixed in TeamCity 2019.1. | |||
| CVE-2025-24459 | 0.02 | — | 0.03 | Jan 21, 2025 | In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page | |||
| CVE-2024-50582 | 0.02 | — | 0.00 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements | |||
| CVE-2024-50581 | 0.02 | — | 0.00 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag |
- risk 0.73cvss 7.3epss 1.00
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
- risk 0.57cvss 8.7epss 0.00
In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
- risk 0.53cvss 8.2epss 0.00
In JetBrains TeamCity before 2026.1 2025.11.5 authenticated users could expose server API to unauthorised access
- risk 0.52cvss 8.0epss 0.00
In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account
- risk 0.51cvss 7.8epss 0.00
In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion
- risk 0.51cvss 7.8epss 0.02
JetBrains dotPeek before 2018.2 and ReSharper Ultimate before 2018.1.4 allow attackers to execute code by decompiling a compiled .NET object (such as a DLL or EXE file) with a specific file, because of Deserialization of Untrusted Data.
- risk 0.49cvss 7.6epss 0.00
In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters
- risk 0.49cvss 7.5epss 0.00
In JetBrains TeamCity before 2026.1, 2025.11.5 unauthenticated SSRF via build status was possible
- risk 0.49cvss 7.5epss 0.02
IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.
- risk 0.48cvss 7.4epss 0.00
In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server
- risk 0.47cvss 7.2epss 0.00
In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass
- risk 0.46cvss 7.1epss 0.00
In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings
- risk 0.46cvss 7.1epss 0.00
In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible
- risk 0.44cvss 6.8epss 0.00
In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled
- risk 0.42cvss 6.5epss 0.00
In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
- risk 0.42cvss 6.5epss 0.00
In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
- risk 0.42cvss 6.5epss 0.00
In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names
- risk 0.42cvss 6.5epss 0.00
In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin
- risk 0.41cvss 6.3epss 0.00
In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
- risk 0.40cvss 6.1epss 0.00
In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible
- risk 0.40cvss 6.1epss 0.00
In JetBrains TeamCity before 2026.1, 2025.11.5 reflected XSS was possible on the repository download page
- risk 0.38cvss 5.8epss 0.00
In JetBrains Junie before 252.549.29 command execution was possible via malicious project file
- risk 0.29cvss 4.5epss 0.00
In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin
- risk 0.28cvss 4.3epss 0.00
In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion
- risk 0.28cvss 4.3epss 0.01
In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters
- risk 0.28cvss 4.3epss 0.00
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
- risk 0.28cvss —epss 1.00
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
- risk 0.28cvss —epss 1.00
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
- risk 0.22cvss 3.4epss 0.00
In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible
- risk 0.22cvss 3.4epss 0.00
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
- risk 0.21cvss 3.3epss 0.00
In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible
- risk 0.20cvss 3.1epss 0.00
In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible
- CVE-2024-23917Feb 6, 2024risk 0.06cvss —epss 0.54
In JetBrains TeamCity before 2023.11.3 authentication bypass leading to RCE was possible
- CVE-2024-43810Aug 16, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2024.07.1 reflected XSS was possible in the AWS Core plugin
- CVE-2024-41825Jul 22, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2024.07 stored XSS was possible on the Code Inspection tab
- CVE-2024-36374May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2024.03.2 stored XSS via build step settings was possible
- CVE-2024-36373May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2024.03.2 several stored XSS in untrusted builds settings were possible
- CVE-2024-36371May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2023.05.6, 2023.11.5 stored XSS in Commit status publisher was possible
- CVE-2024-36370May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via OAuth connection settings was possible
- CVE-2024-36369May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 stored XSS via issue tracker integration was possible
- CVE-2024-36366May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 an XSS could be executed via certain report grouping and filtering operations
- CVE-2024-36363May 29, 2024risk 0.04cvss —epss 0.00
In JetBrains TeamCity before 2022.04.7, 2022.10.6, 2023.05.6, 2023.11.5 several Stored XSS in code inspection reports were possible
- CVE-2025-31140Mar 27, 2025risk 0.03cvss —epss 0.27
In JetBrains TeamCity before 2025.03 stored XSS was possible on Cloud Profiles page
- CVE-2024-56355Dec 20, 2024risk 0.03cvss —epss 0.01
In JetBrains TeamCity before 2024.12 missing Content-Type header in RemoteBuildLogController response could lead to XSS
- CVE-2024-56352Dec 20, 2024risk 0.03cvss —epss 0.01
In JetBrains TeamCity before 2024.12 stored XSS was possible via image name on the agent details page
- CVE-2024-43807Aug 16, 2024risk 0.03cvss —epss 0.00
In JetBrains TeamCity before 2024.07.1 multiple stored XSS was possible on Clouds page
- CVE-2019-15039Oct 1, 2019risk 0.03cvss —epss 0.13
An issue was discovered in JetBrains TeamCity 2018.2.4. It had a possible remote code execution issue. This was fixed in TeamCity 2019.1.
- CVE-2025-24459Jan 21, 2025risk 0.02cvss —epss 0.03
In JetBrains TeamCity before 2024.12.1 reflected XSS was possible on the Vault Connection page
- CVE-2024-50582Oct 28, 2024risk 0.02cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
- CVE-2024-50581Oct 28, 2024risk 0.02cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag
Page 1 of 12