Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion
AnalysisAI
Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusing the filename completion feature when a developer interacts with a crafted filename. The flaw is locally exploitable with user interaction required and has high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
IntelliJ IDEA is JetBrains' flagship Java/Kotlin integrated development environment, widely used across enterprise software development. The root cause is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning that filenames offered or selected through the IDE's filename completion logic are passed into an OS command construction path without proper sanitization or quoting. When a developer triggers completion on a file whose name contains shell metacharacters, those characters break out of the intended argument boundary and are interpreted as additional commands by the underlying shell or process executor. The affected component is identified by CPE cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:* covering all IntelliJ IDEA versions prior to the fixed release 2026.1.1.
RemediationAI
Vendor-released patch: upgrade IntelliJ IDEA to 2026.1.1 or later, which is the primary and recommended remediation per JetBrains' fixed-issues page at https://www.jetbrains.com/privacy-security/issues-fixed/. Until the upgrade can be deployed, compensating controls include avoiding use of filename completion in directories that contain untrusted content, refusing to open or browse repositories and archives from unverified sources, and instructing developers to clone third-party projects into sandboxed VMs or containers where shell execution from the IDE is isolated; the trade-off is reduced developer productivity and reliance on user discipline rather than technical enforcement. Endpoint detection rules can also be tuned to alert on unexpected shell child processes spawned by the IntelliJ IDEA process, accepting some false-positive noise from legitimate build tooling.
More in Intellij Idea
View allCode execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper
In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin
In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases. Rated
In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartex
In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to s
In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote att
In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin,
In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads
Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user accou
In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions. Rated high severity (CVS
In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. Rated high severity (CVSS 7.8
In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible. Rated high severity (CVSS 7.8), this v
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33414
GHSA-rc87-jvvm-wgq4