A vulnerability in JetBrains Junie allows an attacker to execute arbitrary operating‑system commands by placing a specially crafted project file in a location that the JetBrains Junie application will load. The flaw arises from unsafe handling of external project files, resulting in a classic command injection (CWE‑77) that can lead to full compromise of the host system if an attacker succeeds. The potential impact includes loss of confidentiality, integrity, and availability of the affected machine, as well as the possibility of using the compromised system to pivot into the broader network.

JetBrains Junie versions prior to 252.549.29 are affected. Any installation of this product that can be supplied with a malicious project file and that has the default configuration for loading such files is vulnerable.

The CVSS score of 5.8 indicates a moderate risk level. The EPSS score is not available, so current exploitation probability is unclear, but the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the attacker to supply a malicious project file that the JetBrains Junie application will load; this could be achieved by a local or privileged user who can place the file in a monitored directory or by an attacker who can influence the file selection during the project import process. Based on the description, the likely attack vector is a local or file‑based vector rather than remote network exploitation.