Description
In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible
Published: 2026-05-29
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an attacker to embed malicious script in a Jupyter notebook markdown cell that is opened in JetBrains PyCharm, causing the script to run in the IDE’s renderer. The consequence is the ability to execute arbitrary code within the IDE, potentially steal credentials or modify local files. This is an example of the input‑sanitization weakness classified as CWE‑79.

Affected Systems

JetBrains PyCharm versions prior to 2025.3.4 are affected. The vulnerability applies to all installations that use the built‑in Jupyter notebook support, regardless of operating system.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in the KEV catalog, suggesting no known exploitation activity. Exploitation requires the attacker to supply a malicious notebook file that the user opens in PyCharm, so user interaction is a prerequisite. Users who open notebooks from untrusted or unknown sources are at risk of having arbitrary scripts executed in the IDE environment.

Generated by OpenCVE AI on May 29, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains PyCharm to 2025.3.4 or newer.
  • Configure PyCharm to disable or strip embedded HTML/JavaScript in markdown cells if such a setting exists.
  • Avoid opening Jupyter notebooks from untrusted or external sources; use a separate editor for such files when possible.

Generated by OpenCVE AI on May 29, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains pycharm
Vendors & Products Jetbrains
Jetbrains pycharm
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 20:00:00 +0000

Type Values Removed Values Added
Title Stored XSS Vulnerability in PyCharm Jupyter Notebook Markdown Cells

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Jetbrains Pycharm
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-05-29T19:27:26.582Z

Reserved: 2026-05-29T18:07:59.764Z

Link: CVE-2026-49384

cve-icon Vulnrichment

Updated: 2026-05-29T19:27:20.758Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T19:16:28.453

Modified: 2026-05-29T20:11:15.977

Link: CVE-2026-49384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:15:06Z

Weaknesses