Skip to main content

IntelliJ IDEA CVE-2026-49382

| EUVD-2026-33390 MEDIUM
Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336)
2026-05-29 JetBrains GHSA-fwch-gx6q-xhxg
Ssti RCE
4.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
May 29, 2026 - 20:02 EUVD
Analysis Generated
May 29, 2026 - 18:56 vuln.today

DescriptionNVD

In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin

AnalysisAI

Template injection (SSTI) in JetBrains IntelliJ IDEA's Copyright plugin before version 2026.1 enables local code execution when a victim interacts with a maliciously crafted copyright template. The flaw, rooted in CWE-1336 (improper neutralization of template engine special elements), requires both local access and user interaction, and carries a CVSS score of 4.5 (Medium) reflecting these significant constraints. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious copyright template with SSTI payload
Delivery
Embed in shared/public project repository
Exploit
Developer opens project in IntelliJ IDEA pre-2026.1
Execution
Copyright plugin processes injected template directive
Impact
Execute arbitrary code as developer user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Local access to the target machine is required (CVSS AV:L), meaning the attacker cannot exploit this remotely over a network without first delivering a malicious project file or template configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.5 Medium score is consistent with the real-world risk profile: AV:L (local attack vector) and UI:R (user interaction required) substantially constrain exploitability to scenarios where an attacker can deliver a malicious project or template configuration to a developer who then opens it in IntelliJ IDEA. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious IntelliJ IDEA project containing a poisoned copyright template configuration with injected template engine directives (e.g., expressions that invoke Java runtime methods). The project is distributed via a public repository, phishing link, or shared workspace; when the victim opens the project and triggers copyright header insertion or project indexing that invokes the Copyright plugin, the template engine evaluates the payload and executes arbitrary code in the context of the IDE process running as the developer's user account. …
Remediation The primary fix is to upgrade JetBrains IntelliJ IDEA to version 2026.1 or later, which resolves this vulnerability per the JetBrains security advisory at https://www.jetbrains.com/privacy-security/issues-fixed/. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-41065 HIGH
8.9 Jun 04

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
CVE-2026-44181 CRITICAL
Jun 03

Server-side template injection in Jupyter Enterprise Gateway versions 2.0.0rc2 through 3.2.x allows remote attackers to

Share

CVE-2026-49382 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy