Description
In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible
Published: 2026-05-29
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability was discovered in the UI Designer form parser of JetBrains IntelliJ IDEA, allowing an attacker to specify XML external entity references (xEEs). The flaw permits the loading of arbitrary local resources or external data during the parsing of form files. Since the vulnerability is tied to the form parser, the primary impact is the potential for unintended data disclosure rather than remote code execution. The associated CWE indicates a weakness in XML processing logic that can lead to information leakage.

Affected Systems

JetBrains IntelliJ IDEA versions prior to 2026.1 are impacted. No additional sub‑versions or build identifiers are supplied, so all installations using a pre‑2026.1 release are considered vulnerable.

Risk and Exploitability

The CVSS score of 3.3 classifies this issue as low severity. The EPSS score is not available, providing no indication of current exploitation trends. JetBrains has not listed this vulnerability in the CISA KEV catalog. Likely attack vectors are local: a malicious user could create or manipulate a UI Designer form file containing an XML external entity, or a compromised plugin could supply such a file to the parser. The lack of a public exploit suggests that the vulnerability is not actively leveraged by threat actors, but the potential for accidental exposure exists if untrusted files are processed.

Generated by OpenCVE AI on May 29, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update JetBrains IntelliJ IDEA to version 2026.1 or later, which contains the fixed form parser
  • Configure the XML parser in the development environment to disable external entity resolution, if possible, to mitigate processing of malicious UI files
  • Limit the use or storage of UI Designer form files to trusted sources and avoid importing external or unverified XML content

Generated by OpenCVE AI on May 29, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains intellij Idea
Vendors & Products Jetbrains
Jetbrains intellij Idea
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
Title XML External Entity Vulnerability in JetBrains IntelliJ IDEA UI Designer

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible
Weaknesses CWE-611
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Jetbrains Intellij Idea
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-05-29T19:27:42.014Z

Reserved: 2026-05-29T18:07:59.485Z

Link: CVE-2026-49383

cve-icon Vulnrichment

Updated: 2026-05-29T19:27:35.752Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T19:16:28.340

Modified: 2026-05-29T20:11:15.977

Link: CVE-2026-49383

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:15:06Z

Weaknesses