PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49384 JetBrains CVE debrief

A stored cross-site scripting (XSS) vulnerability in JetBrains PyCharm before version 2025.3.4 allows malicious JavaScript to persist in Jupyter notebook Markdown cells. The flaw carries a CVSS 3.1 score of 6.1 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, user interaction needed, and scope change with low impacts on confidentiality and integrity. The vulnerability was published to the CVE List on 2026-05-29 and is currently undergoing analysis by NVD. JetBrains has addressed this issue in PyCharm 2025.3.4 and later versions.

Vendor
JetBrains
Product
PyCharm
CVSS
MEDIUM 6.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations and developers using JetBrains PyCharm for Jupyter notebook development, particularly in collaborative environments where notebooks are shared or imported from external sources. Security teams managing IDE deployments and notebook security policies.

Technical summary

Stored cross-site scripting (CWE-79) in JetBrains PyCharm's Jupyter notebook integration. Malicious scripts embedded in Markdown cells execute when notebooks are rendered. Affects PyCharm versions prior to 2025.3.4. Remediated in PyCharm 2025.3.4.

Defensive priority

medium

Recommended defensive actions

  • Upgrade JetBrains PyCharm to version 2025.3.4 or later to remediate the stored XSS vulnerability in Jupyter notebook Markdown cells.
  • Review existing Jupyter notebooks for suspicious Markdown content, particularly in shared or imported notebooks, as stored XSS payloads may persist in notebook files.
  • Educate users on the risks of executing untrusted Jupyter notebooks and implement notebook scanning procedures in collaborative environments.
  • Monitor JetBrains security advisories for additional related fixes or guidance.

Evidence notes

CVE description confirms stored XSS in Jupyter notebook Markdown cells for PyCharm versions prior to 2025.3.4. CVSS vector and score sourced from NVD record. Vendor fix confirmation available via JetBrains security issues page.

Official resources

2026-05-29