Intellij Idea

In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible

Published: 2026-05-29T18:15:53.479Z
Updated: 2026-05-29T19:27:42.014Z

In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin

Published: 2026-05-29T18:15:52.223Z
Updated: 2026-05-29T19:28:03.037Z

In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account

Published: 2026-05-29T18:15:46.046Z
Updated: 2026-05-30T03:57:44.022Z

In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion

Published: 2026-05-29T18:15:45.443Z
Updated: 2026-05-30T03:57:38.324Z

In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via built-in web server

Published: 2026-04-30T11:05:58.236Z
Updated: 2026-04-30T13:05:06.370Z

In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH

Published: 2025-12-16T15:27:32.582Z
Updated: 2025-12-16T21:37:21.234Z

In JetBrains IntelliJ IDEA before 2025.2 hTML injection was possible via Remote Development feature

Published: 2025-08-20T09:13:59.164Z
Updated: 2025-08-20T15:19:37.239Z

In JetBrains IntelliJ IDEA before 2025.2 unexpected plugin startup was possible due to automatic LSP server start

Published: 2025-08-20T09:13:58.579Z
Updated: 2026-02-26T17:48:25.319Z

In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files

Published: 2025-08-20T09:13:57.934Z
Updated: 2025-08-20T15:20:52.623Z

In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference

Published: 2025-08-20T09:13:57.151Z
Updated: 2025-08-20T15:21:13.202Z

In JetBrains IntelliJ IDEA before 2024.3, 2024.2.4 source code could be logged in the idea.log file

Published: 2025-04-03T16:48:35.468Z
Updated: 2025-04-03T18:03:21.211Z

In JetBrains IntelliJ IDEA before 2024.1 hTML injection via the project name was possible

Published: 2024-09-16T10:32:48.632Z
Updated: 2024-09-16T13:29:49.021Z

GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; Aqua 2024.1.2; CLion 2023.1.7, 2023.2.4, 2023.3.5, 2024.1.3, 2024.2 EAP2; DataGrip 2023.1.3, 2023.2.4, 2023.3.5, 2024.1.4; DataSpell 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.2, 2024.2 EAP1; GoLand 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP3; MPS 2023.2.1, 2023.3.1, 2024.1 EAP2; PhpStorm 2023.1.6, 2023.2.6, 2023.3.7, 2024.1.3, 2024.2 EAP3; PyCharm 2023.1.6, 2023.2.7, 2023.3.6, 2024.1.3, 2024.2 EAP2; Rider 2023.1.7, 2023.2.5, 2023.3.6, 2024.1.3; RubyMine 2023.1.7, 2023.2.7, 2023.3.7, 2024.1.3, 2024.2 EAP4; RustRover 2024.1.1; WebStorm 2023.1.6, 2023.2.7, 2023.3.7, 2024.1.4

Published: 2024-06-10T15:58:06.021Z
Updated: 2025-02-13T17:52:58.741Z

In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL

Published: 2024-02-06T09:21:30.981Z
Updated: 2024-08-01T23:36:20.613Z

In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives

Published: 2024-02-06T09:21:30.488Z
Updated: 2025-05-15T19:44:43.563Z

In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository specified in the project configuration

Published: 2023-12-21T09:57:04.395Z
Updated: 2024-08-02T22:40:34.145Z

In JetBrains IntelliJ IDEA before 2023.2 plugin for Space was requesting excessive permissions

Published: 2023-07-26T12:14:12.180Z
Updated: 2024-10-23T15:40:10.411Z

In JetBrains IntelliJ IDEA before 2023.1.4 license dialog could be suppressed in certain cases

Published: 2023-07-12T12:48:23.129Z
Updated: 2024-10-22T17:59:39.959Z

In JetBrains IntelliJ IDEA before 2023.1 the NTLM hash could leak through an API method used in the IntelliJ IDEA built-in web server.

Published: 2023-03-29T12:07:22.996Z
Updated: 2025-02-12T16:22:14.615Z

In JetBrains IntelliJ IDEA before 2023.1 the bundled version of Chromium wasn't sandboxed.

Published: 2023-03-29T12:07:20.510Z
Updated: 2025-02-12T16:22:37.471Z

In JetBrains IntelliJ IDEA before 2023.1 in some cases, Gradle and Maven projects could be imported without the “Trust Project” confirmation.

Published: 2023-03-29T12:07:17.183Z
Updated: 2025-02-12T16:22:58.700Z

In JetBrains IntelliJ IDEA before 2023.1 file content could be disclosed via an external stylesheet path in Markdown preview.

Published: 2023-03-29T12:07:13.119Z
Updated: 2025-02-12T16:23:21.483Z

In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks.

Published: 2022-12-22T10:25:44.810Z
Updated: 2025-04-15T13:42:02.311Z

In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.

Published: 2022-12-22T10:25:41.948Z
Updated: 2025-04-15T14:31:57.709Z

In JetBrains IntelliJ IDEA before 2022.3 a DYLIB injection on macOS was possible.

Published: 2022-12-08T17:37:59.846Z
Updated: 2025-04-22T18:33:56.630Z

In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible.

Published: 2022-12-08T17:37:58.458Z
Updated: 2025-04-22T18:07:59.925Z

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal vulnerability.

Published: 2022-12-08T17:37:56.568Z
Updated: 2025-04-23T14:23:02.640Z

In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.

Published: 2022-12-08T17:37:54.716Z
Updated: 2025-04-23T14:23:30.467Z

In JetBrains IntelliJ IDEA before 2022.2.4 a buffer overflow in the fsnotifier daemon on macOS was possible.

Published: 2022-12-08T17:37:52.175Z
Updated: 2025-04-23T14:23:49.885Z

The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking

Published: 2022-09-19T16:05:08.000Z
Updated: 2024-08-03T12:28:42.951Z

In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed

Published: 2022-07-28T10:25:16.000Z
Updated: 2024-08-03T10:21:32.474Z

In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible

Published: 2022-07-28T10:25:10.000Z
Updated: 2024-08-03T10:21:32.463Z

In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible

Published: 2022-04-28T09:55:28.000Z
Updated: 2024-08-03T06:33:42.822Z

In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed

Published: 2022-04-28T09:55:27.000Z
Updated: 2024-08-03T06:33:42.652Z

In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible

Published: 2022-04-28T09:55:26.000Z
Updated: 2024-08-03T06:33:42.813Z

In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible

Published: 2022-04-28T09:55:24.000Z
Updated: 2024-08-03T06:33:42.690Z

In JetBrains IntelliJ IDEA before 2022.1 local code execution via workspace settings was possible

Published: 2022-04-28T09:55:23.000Z
Updated: 2024-08-03T06:33:42.657Z

In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible

Published: 2022-04-28T09:55:21.000Z
Updated: 2024-08-03T06:33:42.902Z

In JetBrains IntelliJ IDEA before 2022.1 local code execution via custom Pandoc path was possible

Published: 2022-04-28T09:55:20.000Z
Updated: 2024-08-03T06:33:42.799Z

In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient

Published: 2022-04-28T09:55:19.000Z
Updated: 2024-08-03T06:33:42.664Z

In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields

Published: 2022-04-05T17:55:21.000Z
Updated: 2024-08-03T05:56:16.316Z

In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible.

Published: 2022-02-25T14:36:04.000Z
Updated: 2024-08-03T04:07:02.429Z

In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible.

Published: 2022-02-25T14:36:00.000Z
Updated: 2024-08-03T04:07:02.532Z

In JetBrains IntelliJ IDEA before 2021.1, DoS was possible because of unbounded resource allocation.

Published: 2021-05-11T11:32:37.000Z
Updated: 2024-08-03T22:32:41.122Z

In IntelliJ IDEA before 2020.3.3, XXE was possible, leading to information disclosure.

Published: 2021-05-11T11:24:23.000Z
Updated: 2024-08-03T22:24:59.628Z

In JetBrains IntelliJ IDEA 2020.3.3, local code execution was possible because of insufficient checks when getting the project from VCS.

Published: 2021-05-11T11:30:48.000Z
Updated: 2024-08-03T22:02:51.310Z

In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution.

Published: 2021-02-03T15:16:13.000Z
Updated: 2024-08-03T20:11:27.862Z

In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS.

Published: 2021-02-03T15:14:55.000Z
Updated: 2024-08-03T20:11:28.080Z

In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. This issue was fixed in 2019.3.

Published: 2020-01-31T12:02:40.000Z
Updated: 2024-08-04T09:48:23.897Z

Ports listened to by JetBrains IntelliJ IDEA before 2019.3 were exposed to the network.

Published: 2020-01-30T17:03:36.000Z
Updated: 2024-08-04T09:48:23.515Z

In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS.

Published: 2020-01-30T17:01:39.000Z
Updated: 2024-08-04T09:48:23.727Z

In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version.

Published: 2020-11-16T15:11:25.000Z
Updated: 2024-08-04T16:18:44.665Z

In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases.

Published: 2020-04-22T13:52:39.000Z
Updated: 2024-08-04T11:35:13.899Z

In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.

Published: 2019-07-03T18:43:42.000Z
Updated: 2024-08-04T22:01:54.981Z

In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a cleartext unencrypted record of the server credentials in the IDE configuration files. If the Settings Repository plugin was then used and configured to synchronize IDE settings using a public repository, these credentials were published to this repository. The issue has been fixed in the following versions: 2019.1, 2018.3.5, 2018.2.8, and 2018.1.8.

Published: 2019-07-03T18:40:17.000Z
Updated: 2024-08-04T22:01:55.184Z

In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext record of the server credentials in the IDE configuration files. The issue has been fixed in the following versions: 2018.3.5, 2018.2.8, 2018.1.8.

Published: 2019-07-03T18:11:48.000Z
Updated: 2024-08-04T22:01:54.946Z

In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute code when the configuration is running, because a JMX server listens on all interfaces (instead of listening on only the localhost interface). This issue has been fixed in the following versions: 2019.1, 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.

Published: 2019-07-03T18:35:06.000Z
Updated: 2024-08-04T21:38:46.632Z

JetBrains IntelliJ IDEA before 2019.2 allows local user privilege escalation, potentially leading to arbitrary code execution.

Published: 2019-10-31T14:37:38.000Z
Updated: 2024-08-05T01:54:14.486Z

JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection.

Published: 2019-10-01T13:22:24.000Z
Updated: 2024-08-05T00:34:52.712Z

In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with the default setting allowed a remote attacker to execute code when the configuration is running, because a JMX server listened on all interfaces instead of localhost only. The issue has been fixed in the following versions: 2018.3.4, 2018.2.8, 2018.1.8, and 2017.3.7.

Published: 2019-07-03T18:52:13.000Z
Updated: 2024-08-04T22:10:09.962Z

IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing malicious code on both Androidmanifest.xml.

Published: 2018-08-03T15:00:00.000Z
Updated: 2024-09-16T18:23:33.553Z