Skip to main content

Intellij Idea

55 CVEs product

Monthly

CVE-2026-59792 CRITICAL PATCH Act Now

Code execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper sanitization of the project workspace ID to write or reference files outside the intended workspace directory, culminating in arbitrary code execution. The flaw was self-reported by JetBrains and a fix is available; no public exploit has been identified at time of analysis. The NVD-assigned CVSS of 9.8 (network, no privileges, no user interaction) is notably high for a desktop IDE flaw and warrants scrutiny given that IDE project-handling bugs typically require a victim to open a crafted project.

Path Traversal RCE Intellij Idea
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49383 LOW PATCH Monitor

XXE injection in IntelliJ IDEA's UI Designer form parser exposes local file contents to disclosure when a developer opens a maliciously crafted `.form` file in any version prior to 2026.1. The vulnerability arises because the XML parser fails to restrict external entity references (CWE-611), enabling an attacker-supplied document to read arbitrary local files accessible to the IDE process. No public exploit or CISA KEV listing exists at time of analysis; the low CVSS score of 3.3 reflects the local attack vector and requirement for user interaction, limiting real-world impact compared to network-exploitable XXE.

XXE Intellij Idea
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-49367 HIGH PATCH This Week

Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user account to run arbitrary commands on the host. The flaw, reported by JetBrains and tagged as an authentication bypass affecting the IDE's collaborative/guest-access functionality, carries a CVSS 8.0 (High) rating with network attack vector but requires low-privilege access and user interaction. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Intellij Idea
NVD VulDB
CVSS 3.1
8.0
EPSS
0.0%
CVE-2026-49366 HIGH PATCH This Week

Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusing the filename completion feature when a developer interacts with a crafted filename. The flaw is locally exploitable with user interaction required and has high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Command Injection Intellij Idea
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-41882 HIGH PATCH This Week

Local file disclosure in IntelliJ IDEA's built-in web server allows remote attackers to read arbitrary local files via network requests requiring user interaction. JetBrains IDEA versions before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, and 2026.1.1 are affected. The vulnerability achieves scope change (CVSS S:C) enabling cross-context information theft with high confidentiality impact but no integrity or availability damage. No active exploitation (KEV-absent) or public POC identified at time of analysis, though vendor disclosure suggests controlled remediation timeline.

Information Disclosure Intellij Idea
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-57730 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2025.2 hTML injection was possible via Remote Development feature. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity. No vendor patch available.

XSS Intellij Idea
NVD
CVSS 3.1
5.2
EPSS
0.0%
CVE-2025-57729 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2025.2 unexpected plugin startup was possible due to automatic LSP server start. Rated medium severity (CVSS 6.5). No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-57728 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Intellij Idea
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-57727 MEDIUM Monitor

In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-32054 LOW Monitor

In JetBrains IntelliJ IDEA before 2024.3, 2024.2.4 source code could be logged in the idea.log file. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2024-46970 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Intellij Idea
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-37051 HIGH This Week

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Aqua Clion Datagrip Dataspell +9
NVD
CVSS 3.1
7.5
EPSS
3.8%
CVE-2024-24941 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-24940 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Intellij Idea
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2023-51655 CRITICAL Act Now

In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Intellij Idea
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2023-39261 HIGH This Week

In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Intellij Idea
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2023-38069 LOW Monitor

In JetBrains IntelliJ IDEA before 2023.1.4 license dialog could be suppressed in certain cases. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
3.3
EPSS
0.2%
CVE-2022-47896 HIGH This Week

In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Ssti Information Disclosure Intellij Idea
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-47895 HIGH This Week

In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2022-46828 HIGH This Week

In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Code Injection Intellij Idea
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-46827 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

SSRF XXE Intellij Idea
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2022-46826 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Intellij Idea
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2022-46825 LOW Monitor

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
3.3
EPSS
0.1%
CVE-2022-46824 HIGH This Week

In JetBrains IntelliJ IDEA before 2022.2.4 a buffer overflow in the fsnotifier daemon on macOS was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Buffer Overflow Intellij Idea
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2022-40978 HIGH This Week

The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2022-37010 LOW Monitor

In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
3.3
EPSS
0.2%
CVE-2022-37009 HIGH This Week

In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2022-29819 HIGH This Week

In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2022-29818 HIGH This Week

In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2022-29817 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Intellij Idea
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2022-29816 LOW Monitor

In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible. Rated low severity (CVSS 3.2), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Intellij Idea
NVD
CVSS 3.1
3.2
EPSS
0.3%
CVE-2022-29815 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2022-29814 HIGH This Week

In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2022-29813 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
CVSS 3.1
6.7
EPSS
0.2%
CVE-2022-29812 LOW Monitor

In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
2.3
EPSS
0.2%
CVE-2022-28651 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
5.5
EPSS
0.3%
CVE-2022-24346 HIGH This Week

In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Intellij Idea
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2022-24345 HIGH This Week

In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Intellij Idea
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2021-30504 HIGH This Week

In JetBrains IntelliJ IDEA before 2021.1, DoS was possible because of unbounded resource allocation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Intellij Idea
NVD
CVSS 3.1
7.5
EPSS
2.3%
CVE-2021-30006 HIGH This Week

In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure Intellij Idea
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-29263 HIGH This Week

In JetBrains IntelliJ IDEA 2020.3.3, local code execution was possible because of insufficient checks when getting the project from VCS. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Intellij Idea
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2021-25758 HIGH This Week

In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Intellij Idea
NVD
CVSS 3.1
7.8
EPSS
1.0%
CVE-2021-25756 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
5.3
EPSS
1.3%
CVE-2020-27622 MEDIUM This Month

In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
5.3
EPSS
1.3%
CVE-2020-11690 CRITICAL Act Now

In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
9.8
EPSS
2.2%
CVE-2020-7914 HIGH This Week

In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2020-7905 HIGH This Week

Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2020-7904 HIGH This Week

In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
7.4
EPSS
1.4%
CVE-2019-18361 MEDIUM This Month

JetBrains IntelliJ IDEA before 2019.2 allows local user privilege escalation, potentially leading to arbitrary code execution. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Intellij Idea
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2019-14954 MEDIUM This Month

JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.1
5.9
EPSS
0.7%
CVE-2019-9873 CRITICAL Act Now

In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.0
9.8
EPSS
1.6%
CVE-2019-9872 HIGH This Week

In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.0
8.1
EPSS
1.2%
CVE-2019-9823 CRITICAL Act Now

In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
CVSS 3.0
9.8
EPSS
1.6%
CVE-2019-9186 CRITICAL Act Now

In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Intellij Idea
NVD
CVSS 3.0
9.8
EPSS
4.5%
CVE-2019-10104 CRITICAL Act Now

In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Intellij Idea
NVD
CVSS 3.0
9.8
EPSS
3.8%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Code execution via path traversal in JetBrains IntelliJ IDEA before 2026.1.4 and 2026.2 lets an attacker abuse improper sanitization of the project workspace ID to write or reference files outside the intended workspace directory, culminating in arbitrary code execution. The flaw was self-reported by JetBrains and a fix is available; no public exploit has been identified at time of analysis. The NVD-assigned CVSS of 9.8 (network, no privileges, no user interaction) is notably high for a desktop IDE flaw and warrants scrutiny given that IDE project-handling bugs typically require a victim to open a crafted project.

Path Traversal RCE Intellij Idea
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

XXE injection in IntelliJ IDEA's UI Designer form parser exposes local file contents to disclosure when a developer opens a maliciously crafted `.form` file in any version prior to 2026.1. The vulnerability arises because the XML parser fails to restrict external entity references (CWE-611), enabling an attacker-supplied document to read arbitrary local files accessible to the IDE process. No public exploit or CISA KEV listing exists at time of analysis; the low CVSS score of 3.3 reflects the local attack vector and requirement for user interaction, limiting real-world impact compared to network-exploitable XXE.

XXE Intellij Idea
NVD VulDB
EPSS 0% CVSS 8.0
HIGH PATCH This Week

Command execution in JetBrains IntelliJ IDEA versions prior to 2026.1.1 allows attackers leveraging the guest user account to run arbitrary commands on the host. The flaw, reported by JetBrains and tagged as an authentication bypass affecting the IDE's collaborative/guest-access functionality, carries a CVSS 8.0 (High) rating with network attack vector but requires low-privilege access and user interaction. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Intellij Idea
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Command injection in JetBrains IntelliJ IDEA before 2026.1.1 allows attackers to execute arbitrary OS commands by abusing the filename completion feature when a developer interacts with a crafted filename. The flaw is locally exploitable with user interaction required and has high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Command Injection Intellij Idea
NVD VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Local file disclosure in IntelliJ IDEA's built-in web server allows remote attackers to read arbitrary local files via network requests requiring user interaction. JetBrains IDEA versions before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, and 2026.1.1 are affected. The vulnerability achieves scope change (CVSS S:C) enabling cross-context information theft with high confidentiality impact but no integrity or availability damage. No active exploitation (KEV-absent) or public POC identified at time of analysis, though vendor disclosure suggests controlled remediation timeline.

Information Disclosure Intellij Idea
NVD VulDB
EPSS 0% CVSS 5.2
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2025.2 hTML injection was possible via Remote Development feature. Rated medium severity (CVSS 5.2), this vulnerability is low attack complexity. No vendor patch available.

XSS Intellij Idea
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2025.2 unexpected plugin startup was possible due to automatic LSP server start. Rated medium severity (CVSS 6.5). No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Intellij Idea
NVD
EPSS 0% CVSS 4.7
MEDIUM Monitor

In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 3.3
LOW Monitor

In JetBrains IntelliJ IDEA before 2024.3, 2024.2.4 source code could be logged in the idea.log file. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Intellij Idea
NVD
EPSS 4% CVSS 7.5
HIGH This Week

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Aqua Clion +11
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Intellij Idea
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Intellij Idea
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Intellij Idea
NVD
EPSS 0% CVSS 3.3
LOW Monitor

In JetBrains IntelliJ IDEA before 2023.1.4 license dialog could be suppressed in certain cases. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Ssti Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Code Injection Intellij Idea
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

SSRF XXE Intellij Idea
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Path Traversal Intellij Idea
NVD
EPSS 0% CVSS 3.3
LOW Monitor

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In JetBrains IntelliJ IDEA before 2022.2.4 a buffer overflow in the fsnotifier daemon on macOS was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Apple Buffer Overflow Intellij Idea
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 3.3
LOW Monitor

In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
EPSS 0% CVSS 7.7
HIGH This Week

In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
EPSS 0% CVSS 7.1
HIGH This Week

In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed. Rated high severity (CVSS 7.1), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Intellij Idea
NVD
EPSS 0% CVSS 3.2
LOW Monitor

In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible. Rated low severity (CVSS 3.2), this vulnerability is low attack complexity. No vendor patch available.

Code Injection Intellij Idea
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
EPSS 0% CVSS 7.7
HIGH This Week

In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible. Rated high severity (CVSS 7.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.

RCE Code Injection Intellij Idea
NVD
EPSS 0% CVSS 2.3
LOW Monitor

In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient. Rated low severity (CVSS 2.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Intellij Idea
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Intellij Idea
NVD
EPSS 2% CVSS 7.5
HIGH This Week

In JetBrains IntelliJ IDEA before 2021.1, DoS was possible because of unbounded resource allocation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Intellij Idea
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XXE Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 7.8
HIGH This Week

In JetBrains IntelliJ IDEA 2020.3.3, local code execution was possible because of insufficient checks when getting the project from VCS. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

RCE Intellij Idea
NVD
EPSS 1% CVSS 7.8
HIGH This Week

In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Deserialization RCE Intellij Idea
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 2% CVSS 7.5
HIGH This Week

In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 1% CVSS 7.4
HIGH This Week

In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

JetBrains IntelliJ IDEA before 2019.2 allows local user privilege escalation, potentially leading to arbitrary code execution. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Intellij Idea
NVD
EPSS 1% CVSS 5.9
MEDIUM This Month

JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 1% CVSS 8.1
HIGH This Week

In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Intellij Idea
NVD
EPSS 5% CVSS 9.8
CRITICAL Act Now

In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Intellij Idea
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Tomcat Information Disclosure Intellij Idea
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy