Severity by source
Sources disagree (Medium–Critical)AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Code execution gives full C/I/A, but the attacker must first obtain write/influence over the build cache (PR:L) and meet cache-consumption timing (AC:H), unlike the vendor's PR:N/AC:L.
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata
AnalysisAI
Remote code execution in JetBrains Kotlin before 2.4.20 stems from unsafe deserialization (CWE-502) of build cache metadata, allowing an attacker who can influence cached build artifacts to execute arbitrary code during a build. The flaw carries a CVSS 9.8 (C:H/I:H/A:H) rating, but there is no public exploit identified at time of analysis and EPSS is very low (0.11%, 2nd percentile), and CISA SSVC marks exploitation as 'none'. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Conduct inventory of all Kotlin installations and identify projects running versions prior to 2.4.20. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, pote
Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubn
In JetBrains Kotlin from 1.4-M1 to 1.4-RC (as Kotlin 1.3.7x is not affected by the issue. Rated high severity (CVSS 8.8)
JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle arti
JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects. Rated medi
Same weakness CWE-502 – Deserialization of Untrusted Data
View allSame technique Deserialization
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39659