Skip to main content

JetBrains GoLand EUVDEUVD-2026-38005

| CVE-2026-53915 HIGH
External Control of File Name or Path (CWE-73)
2026-06-19 JetBrains GHSA-hmp8-wrw4-r24c
8.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (JetBrains) PRIMARY
HIGH
qualitative
NVD
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Project files are obtained over the network and opened without prior auth (AV:N/PR:N), but require the developer to open the malicious project (UI:R), giving full code execution in the user context (C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (JetBrains).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 26, 2026 - 13:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 26, 2026 - 13:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 26, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
Jun 26, 2026 - 13:22 NVD
7.1 (HIGH) 8.8 (HIGH)
Patch available
Jun 19, 2026 - 14:31 EUVD
Analysis Generated
Jun 19, 2026 - 13:00 vuln.today

DescriptionNVD

In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration

AnalysisAI

Remote code execution in JetBrains GoLand before 2026.1.3 lets an attacker run arbitrary code on a developer's machine when the victim opens a maliciously crafted project whose configuration is untrusted. The flaw, reported by JetBrains itself and assigned CVSS 8.8 with high confidentiality, integrity, and availability impact, requires the user to open the booby-trapped project (UI:R) but no prior authentication on the IDE. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious GoLand project config
Delivery
Deliver repo to developer (clone/share)
Exploit
Victim opens untrusted project
Execution
IDE loads attacker-controlled paths
Impact
Execute arbitrary code in user context

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to open or import an untrusted/attacker-supplied project in a vulnerable GoLand build (before 2026.1.3) where the project's configuration is trusted and processed by the IDE - this matches the UI:R in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are mixed and point to elevated-but-not-emergency risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a Go repository (or sends one to a target developer) that contains crafted project/configuration files. When the developer clones and opens it in a vulnerable GoLand build, the IDE processes the untrusted configuration during project load and executes attacker-controlled code on the developer's workstation. …
Remediation Upgrade to GoLand 2026.1.3 or later (Vendor-released patch: 2026.1.3), which is available from the vendor and documented at https://www.jetbrains.com/privacy-security/issues-fixed/. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all GoLand installations in your development organization and their current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38005 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy