Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible
AnalysisAI
XXE injection in IntelliJ IDEA's UI Designer form parser exposes local file contents to disclosure when a developer opens a maliciously crafted .form file in any version prior to 2026.1. The vulnerability arises because the XML parser fails to restrict external entity references (CWE-611), enabling an attacker-supplied document to read arbitrary local files accessible to the IDE process. No public exploit or CISA KEV listing exists at time of analysis; the low CVSS score of 3.3 reflects the local attack vector and requirement for user interaction, limiting real-world impact compared to network-exploitable XXE.
Technical ContextAI
JetBrains IntelliJ IDEA includes a UI Designer feature that parses XML-based .form files describing GUI layouts. CWE-611 (Improper Restriction of XML External Entity Reference) occurs when an XML parser processes external entity declarations without restriction, allowing file contents from the local filesystem or network to be read and embedded in parser output. The affected component here is specifically the UI Designer form parser, which processes these XML files when a developer opens or works with a .form file in the IDE. The CPE cpe:2.3:a:jetbrains:intellij_idea:*:*:*:*:*:*:*:* confirms all editions and platforms of IntelliJ IDEA prior to version 2026.1 are affected.
RemediationAI
Upgrade IntelliJ IDEA to version 2026.1 or later, which is confirmed as the vendor-patched release per the JetBrains security advisory at https://www.jetbrains.com/privacy-security/issues-fixed/. If an immediate upgrade is not possible, developers should avoid opening .form files from untrusted sources, third-party repositories, or unfamiliar projects without first inspecting the XML content for external entity declarations. Disabling the UI Designer plugin entirely in Settings > Plugins is an additional compensating control, though this removes GUI design functionality. Since exploitation requires local file delivery and user action, enforcing project-level trust policies and code review of contributed .form files can reduce exposure in team environments.
More in Intellij Idea
View allCode execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper
In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin
In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases. Rated
In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartex
In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to s
In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote att
In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin,
In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads
Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user accou
Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusin
In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions. Rated high severity (CVS
In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. Rated high severity (CVSS 7.8
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33391
GHSA-hj3g-vw9v-9wj4