Skip to main content

Kotlin CVE-2026-53914

| EUVDEUVD-2026-39659 CRITICAL
Deserialization of Untrusted Data (CWE-502)
2026-06-26 JetBrains
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (JetBrains) PRIMARY
MEDIUM
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Code execution gives full C/I/A, but the attacker must first obtain write/influence over the build cache (PR:L) and meet cache-consumption timing (AC:H), unlike the vendor's PR:N/AC:L.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 27, 2026 - 19:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 27, 2026 - 19:42 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 27, 2026 - 19:37 vuln.today
cvss_changed
Severity Changed
Jun 27, 2026 - 19:37 NVD
MEDIUM CRITICAL
CVSS changed
Jun 27, 2026 - 19:37 NVD
6.7 (MEDIUM) 9.8 (CRITICAL)
Patch available
Jun 26, 2026 - 15:01 EUVD
Analysis Generated
Jun 26, 2026 - 13:53 vuln.today

DescriptionNVD

In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata

AnalysisAI

Remote code execution in JetBrains Kotlin before 2.4.20 stems from unsafe deserialization (CWE-502) of build cache metadata, allowing an attacker who can influence cached build artifacts to execute arbitrary code during a build. The flaw carries a CVSS 9.8 (C:H/I:H/A:H) rating, but there is no public exploit identified at time of analysis and EPSS is very low (0.11%, 2nd percentile), and CISA SSVC marks exploitation as 'none'. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Conduct inventory of all Kotlin installations and identify projects running versions prior to 2.4.20. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53914 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy