JetBrains PyCharm < 2025.3.4 Stored XSS

🗓️ 04 Jun 2026 00:00:00Reported by TenableType

JetBrains PyCharm before 2025.3.4 is affected by a stored XSS in Jupyter notebook Markdown cells.

Reporter	Title	Published	Views	Family All 9
ATTACKERKB	CVE-2026-49384	29 May 202618:15	–	attackerkb
CNNVD	JetBrains PyCharm 跨站脚本漏洞	29 May 202600:00	–	cnnvd
CVE	CVE-2026-49384	29 May 202618:15	–	cve
Cvelist	CVE-2026-49384	29 May 202618:15	–	cvelist
EUVD	EUVD-2026-33392	29 May 202618:15	–	euvd
NVD	CVE-2026-49384	29 May 202619:16	–	nvd
Positive Technologies	PT-2026-44964	29 May 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-49384	5 Jun 202619:34	–	redhatcve
Vulnrichment	CVE-2026-49384	29 May 202618:15	–	vulnrichment

Source	Link
jetbrains	www.jetbrains.com/privacy-security/issues-fixed/
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(318672);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/06/09");

  script_cve_id("CVE-2026-49384");
  script_xref(name:"IAVA", value:"2026-A-0538");

  script_name(english:"JetBrains PyCharm < 2025.3.4 Stored XSS");

  script_set_attribute(attribute:"synopsis", value:
"The Python IDE installed on the remote host is affected by a cross-site scripting vulnerability.");
  script_set_attribute(attribute:"description", value:
"According to its self-reported version, the JetBrains PyCharm installation on the remote host is prior to 2025.3.4.
It is, therefore, affected by a stored cross-site scripting (XSS) vulnerability in Jupyter notebook Markdown cells.

In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.jetbrains.com/privacy-security/issues-fixed/");
  script_set_attribute(attribute:"solution", value:
"Upgrade JetBrains PyCharm to version 2025.3.4 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-49384");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/29");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/05/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/06/04");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:jetbrains:pycharm");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("pycharm_macos_installed.nbin", "pycharm_win_installed.nbin");
  script_require_keys("Host/local_checks_enabled", "installed_sw/PyCharm");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'checks': [
    {
      'product': {'name': 'PyCharm', 'type': 'app'},
      'check_algorithm': 'default',
      'constraints': [
        {'fixed_version': '2025.3.4'}
      ]
    }
  ]
};

var res = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_WARNING, flags:{"xss":TRUE});
vdf::handle_check_and_report_errors(vdf_result:res);

09 Jun 2026 00:00Current

5.3Medium risk

Vulners AI Score5.3

CVSS 3.16.1

EPSS0.00181

SSVC