Jetbrains: community verdicts

14 notable / known-exploited Jetbrains CVEs the community has triaged.

ⓘ Not an exhaustive list: we focus on the findings that matter (exploited / notable). For every Jetbrains CVE, see NVD ↗.

CVE-2024-27199HIGH 7.3KEVEPSS 100%
In JetBrains TeamCity before 2023.11.4 path traversal allowing to perform limited admin actions was possible
CVE-2023-42793CRIT 9.8KEVEPSS 100%
In JetBrains TeamCity before 2023.05.4 authentication bypass leading to RCE on TeamCity Server was possible
CVE-2024-27198CRIT 9.8KEVEPSS 100%
In JetBrains TeamCity before 2023.11.4 authentication bypass allowing to perform admin actions was possible
CVE-2026-50242CRIT 10Real · low riskEPSS 0%
In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 authentication bypass via direct database access leading to administrative access was possible
CVE-2026-56142CRIT 9.9Real · low riskEPSS 0%
In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 privilege escalation by attaching authentication details to accounts was possible
CVE-2026-57926LOW 2.6EPSS 0%
In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack
CVE-2026-56141CRIT 9.8Real · low riskEPSS 0%
In JetBrains Hub before 2026.1.13757, 2025.3.148033, 2025.2.148048, 2025.1.148120, 2024.3.148430, 2024.2.148429 account takeover via predictable restore codes was possible
CVE-2026-53915HIGH 7.1Real · low riskEPSS 0%
In JetBrains GoLand before 2026.1.3 remote code execution was possible via untrusted project configuration
CVE-2026-53914MED 6.7EPSS 0%
In JetBrains Kotlin before 2.4.20 code execution was possible via unsafe deserialization in the build cache metadata
CVE-2026-57921MED 4.3EPSS 0%
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint
CVE-2026-57924MED 4.3EPSS 0%
In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details
CVE-2026-57925MED 4.3EPSS 0%
In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags
CVE-2026-57923MED 5.3EPSS 0%
In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings
CVE-2026-57922LOW 3.1EPSS 0%
In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible