Jetbrains Intellij Idea — known CVE vulnerabilities
Every CVE whose affected-product data names Jetbrains Intellij Idea, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (62)
CVE-2021-45977 — CVSS 9.8 (critical): JetBrains IntelliJ IDEA 2021.3.1 Preview, IntelliJ IDEA 2021.3.1 RC, PyCharm Professional 2021.3.1 RC, GoLand 2021.3.1, PhpStorm 2021.3.1…
CVE-2019-9823 — CVSS 9.8 (critical): In several JetBrains IntelliJ IDEA versions, creating remote run configurations of JavaEE application servers leads to saving a cleartext…
CVE-2019-9873 — CVSS 9.8 (critical): In several versions of JetBrains IntelliJ IDEA Ultimate, creating Task Servers configurations leads to saving a cleartext unencrypted…
CVE-2020-11690 — CVSS 9.8 (critical): In JetBrains IntelliJ IDEA before 2020.1, the license server could be resolved to an untrusted host in some cases.
CVE-2019-10104 — CVSS 9.8 (critical): In several JetBrains IntelliJ IDEA Ultimate versions, an Application Server run configuration (for Tomcat, Jetty, Resin, or CloudBees) with…
CVE-2019-9186 — CVSS 9.8 (critical): In several JetBrains IntelliJ IDEA versions, a Spring Boot run configuration with the default setting allowed remote attackers to execute…
CVE-2024-37051 — CVSS 9.3 (critical): GitHub access token could be exposed to third-party sites in JetBrains IDEs after version 2023.1 and less than: IntelliJ IDEA 2023.1.7…
CVE-2022-28651 — CVSS 8.4 (high): In JetBrains IntelliJ IDEA before 2021.3.3 it was possible to get passwords from protected fields
CVE-2019-9872 — CVSS 8.1 (high): In several versions of JetBrains IntelliJ IDEA Ultimate, creating run configurations for cloud application servers leads to saving a…
CVE-2026-49367 — CVSS 8.0 (high): In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account
CVE-2022-24346 — CVSS 7.8 (high): In JetBrains IntelliJ IDEA before 2021.3.1, local code execution via RLO (Right-to-Left Override) characters was possible.
CVE-2026-49366 — CVSS 7.8 (high): In JetBrains IntelliJ IDEA before 2026.1.1 command injection was possible via filename completion
CVE-2021-25758 — CVSS 7.8 (high): In JetBrains IntelliJ IDEA before 2020.3, potentially insecure deserialization of the workspace model could lead to local code execution.
CVE-2021-29263 — CVSS 7.8 (high): In JetBrains IntelliJ IDEA 2020.3.3, local code execution was possible because of insufficient checks when getting the project from VCS.
CVE-2022-24345 — CVSS 7.8 (high): In JetBrains IntelliJ IDEA before 2021.2.4, local code execution (without permission from a user) upon opening a project was possible.
CVE-2017-8316 — CVSS 7.5 (high): IntelliJ IDEA XML parser was found vulnerable to XML External Entity attack, an attacker can exploit the vulnerability by implementing…
CVE-2021-30504 — CVSS 7.5 (high): In JetBrains IntelliJ IDEA before 2021.1, DoS was possible because of unbounded resource allocation.
CVE-2020-7914 — CVSS 7.5 (high): In JetBrains IntelliJ IDEA 2019.2, an XSLT debugger plugin misconfiguration allows arbitrary file read operations over the network. This…
CVE-2022-40978 — CVSS 7.5 (high): The installer of JetBrains IntelliJ IDEA before 2022.2.2 was vulnerable to EXE search order hijacking
CVE-2020-7904 — CVSS 7.4 (high): In JetBrains IntelliJ IDEA before 2019.3, some Maven repositories were accessed via HTTP instead of HTTPS.
CVE-2026-41882 — CVSS 7.4 (high): In JetBrains IntelliJ IDEA before 2024.3.7.1, 2025.1.7.1, 2025.2.6.2, 2025.3.4.1, 2026.1.1 reading arbitrary local files was possible via…
CVE-2022-29819 — CVSS 6.9 (medium): In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible
CVE-2022-29814 — CVSS 6.9 (medium): In JetBrains IntelliJ IDEA before 2022.1 local code execution via HTML descriptions in custom JSON schemas was possible
CVE-2025-57728 — CVSS 6.5 (medium): In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files
CVE-2025-57729 — CVSS 6.5 (medium): In JetBrains IntelliJ IDEA before 2025.2 unexpected plugin startup was possible due to automatic LSP server start
CVE-2023-51655 — CVSS 6.3 (medium): In JetBrains IntelliJ IDEA before 2023.3.2 code execution was possible in Untrusted Project mode via a malicious plugin repository…
CVE-2022-46826 — CVSS 6.2 (medium): In JetBrains IntelliJ IDEA before 2022.3 the built-in web server allowed an arbitrary file to be read by exploiting a path traversal…
CVE-2024-24941 — CVSS 6.1 (medium): In JetBrains IntelliJ IDEA before 2023.3.3 a plugin for JetBrains Space was able to send an authentication token to an inappropriate URL
CVE-2022-48433 — CVSS 6.1 (medium): In JetBrains IntelliJ IDEA before 2023.1 the NTLM hash could leak through an API method used in the IntelliJ IDEA built-in web server.
CVE-2019-14954 — CVSS 5.9 (medium): JetBrains IntelliJ IDEA before 2019.2 was resolving the markdown plantuml artifact download link via a cleartext http connection.
CVE-2022-46824 — CVSS 5.6 (medium): In JetBrains IntelliJ IDEA before 2022.2.4 a buffer overflow in the fsnotifier daemon on macOS was possible.
CVE-2022-48430 — CVSS 5.5 (medium): In JetBrains IntelliJ IDEA before 2023.1 file content could be disclosed via an external stylesheet path in Markdown preview.
CVE-2025-68269 — CVSS 5.4 (medium): In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH
CVE-2019-18361 — CVSS 5.3 (medium): JetBrains IntelliJ IDEA before 2019.2 allows local user privilege escalation, potentially leading to arbitrary code execution.
CVE-2020-27622 — CVSS 5.3 (medium): In JetBrains IntelliJ IDEA before 2020.2, the built-in web server could expose information about the IDE version.
CVE-2021-25756 — CVSS 5.3 (medium): In JetBrains IntelliJ IDEA before 2020.2, HTTP links were used for several remote repositories instead of HTTPS.
CVE-2022-47895 — CVSS 4.7 (medium): In JetBrains IntelliJ IDEA before 2022.3.1 the "Validate JSP File" action used the HTTP protocol to download required JAR files.
CVE-2026-49382 — CVSS 4.5 (medium): In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin
CVE-2022-48431 — CVSS 4.5 (medium): In JetBrains IntelliJ IDEA before 2023.1 in some cases, Gradle and Maven projects could be imported without the “Trust Project”…
CVE-2022-46825 — CVSS 4.0 (medium): In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.
CVE-2022-46827 — CVSS 3.9 (low): In JetBrains IntelliJ IDEA before 2022.3 an XXE attack leading to SSRF via requests to custom plugin repositories was possible.
CVE-2022-37009 — CVSS 3.9 (low): In JetBrains IntelliJ IDEA before 2022.2 local code execution via a Vagrant executable was possible
CVE-2022-29818 — CVSS 3.9 (low): In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed
CVE-2022-29817 — CVSS 3.9 (low): In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible
CVE-2022-37010 — CVSS 3.6 (low): In JetBrains IntelliJ IDEA before 2022.2 email address validation in the "Git User Name Is Not Defined" dialog was missed
CVE-2023-38069 — CVSS 3.3 (low): In JetBrains IntelliJ IDEA before 2023.1.4 license dialog could be suppressed in certain cases
CVE-2024-24940 — CVSS 2.8 (low): In JetBrains IntelliJ IDEA before 2023.3.3 path traversal was possible when unpacking archives
CVE-2022-29812 — CVSS 2.3 (low): In JetBrains IntelliJ IDEA before 2022.1 notification mechanisms about using Unicode directionality formatting characters were insufficient