PatchSiren cyber security CVE debrief
CVE-2026-49382 JetBrains CVE debrief
A template injection vulnerability in the Copyright plugin of JetBrains IntelliJ IDEA before version 2026.1 could allow code execution. The vulnerability, classified as CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine), requires local access with high attack complexity and user interaction. The CVSS 3.1 score of 4.5 reflects limited impacts to confidentiality, integrity, and availability. JetBrains has addressed this issue in version 2026.1, as documented in their security advisories.
- Vendor
- JetBrains
- Product
- IntelliJ IDEA
- CVSS
- MEDIUM 4.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations and developers using JetBrains IntelliJ IDEA, particularly those utilizing the Copyright plugin with custom templates. Development teams in regulated industries with strict code provenance requirements should prioritize patching due to potential supply chain implications if malicious templates were distributed.
Technical summary
The Copyright plugin in JetBrains IntelliJ IDEA versions prior to 2026.1 contains a template injection vulnerability (CWE-1336) that can lead to code execution. The vulnerability stems from improper neutralization of special elements in template expressions used by the plugin. Exploitation requires user interaction and high attack complexity, limiting practical exploitability. The attack vector is local, meaning an attacker would need to leverage local access or social engineering to deliver a malicious payload. JetBrains has patched this vulnerability in version 2026.1.
Defensive priority
medium
Recommended defensive actions
- Upgrade JetBrains IntelliJ IDEA to version 2026.1 or later to remediate the template injection vulnerability in the Copyright plugin
- Review and audit custom copyright templates in use prior to upgrading, as these may contain or trigger the vulnerable code path
- For environments where immediate upgrading is not feasible, restrict access to IntelliJ IDEA configurations and avoid opening untrusted projects that may contain malicious copyright templates
- Monitor JetBrains security advisories for additional guidance or patches that may be released for older supported versions
- Consider implementing application control policies to prevent execution of untrusted code within the IDE environment
Evidence notes
The vulnerability affects IntelliJ IDEA versions prior to 2026.1. The CVSS vector (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) indicates local attack vector, high complexity, no privileges required, user interaction needed, with low impacts across confidentiality, integrity, and availability. The weakness is identified as CWE-1336 (template injection).
Official resources
-
CVE-2026-49382 CVE record
CVE.org
-
CVE-2026-49382 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
JetBrains disclosed this vulnerability on May 29, 2026, through their official security issues page. The CVE was published to NVD the same day with status 'Undergoing Analysis'. No known exploitation in the wild has been reported, and the K