Description
In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible
Published: 2026-02-09
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: DOM‑based XSS in PyCharm Jupyter viewer
Action: Patch
AI Analysis

Impact

The vulnerability is a DOM‑based cross‑site scripting flaw in the Jupyter notebook viewer of JetBrains PyCharm before version 2025.3.2. The flaw allows a crafted notebook or an attacker who can inject malicious script into the viewer's JavaScript context to run arbitrary code in the developer’s browser. This can lead to disclosure of local credentials, device compromise, or malicious modification of the development environment.

Affected Systems

Any installation of JetBrains PyCharm that includes the Jupyter notebook viewer and is earlier than 2025.3.2 is affected, including community and professional editions used by developers working with Jupyter notebooks.

Risk and Exploitability

The flaw scored 8.2 on CVSS and has an EPSS of less than 1 %, meaning it is exploitable but not widely targeted yet. It is not currently listed in the CISA KEV catalog. The likely attack vector is local: an attacker would need to deliver a malicious notebook or influence a trusted user to open an infected file. The weakness aligns with CWE‑79 and can be mitigated by applying the vendor patch or disabling the feature.

Generated by OpenCVE AI on April 17, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PyCharm to version 2025.3.2 or later to apply the XSS fix.
  • If an immediate update is not possible, disable the Jupyter notebook viewer feature or restrict access to untrusted notebooks so that malicious content cannot be loaded.
  • Configure project settings to limit file types or run the viewer in a safe mode to prevent arbitrary script execution.

Generated by OpenCVE AI on April 17, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title DOM‑based XSS in PyCharm Jupyter Viewer

Wed, 18 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jetbrains:pycharm:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains pycharm
Vendors & Products Jetbrains
Jetbrains pycharm

Mon, 09 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
Description In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

Jetbrains Pycharm
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-02-26T15:04:15.134Z

Reserved: 2026-02-06T14:16:37.003Z

Link: CVE-2026-25847

cve-icon Vulnrichment

Updated: 2026-02-09T13:44:07.100Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T11:16:15.003

Modified: 2026-02-18T17:56:53.790

Link: CVE-2026-25847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses