| Vendor | Products | CVEs | KEV | Avg EPSS | Worst Severity |
|---|
| 25 | 212 | 0 | 23.6% | CRITICAL |
| CVE ID | Description | Severity | CVSS | KEV | EPSS | Published | |
|---|
| CVE-2026-49386 | In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas | MEDIUM | 6.5 | — | 16.0% | May 29, 2026 | |
| CVE-2026-49385 | In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts | MEDIUM | 6.5 | — | 11.5% | May 29, 2026 | |
| CVE-2026-49384 | In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible | MEDIUM | 6.1 | — | 7.9% | May 29, 2026 | |
| CVE-2026-49383 | In JetBrains IntelliJ IDEA before 2026.1 xXE in the UI Designer form parser was possible | LOW | 3.3 | — | 1.5% | May 29, 2026 | |
| CVE-2026-49382 | In JetBrains IntelliJ IDEA before 2026.1 code execution was possible via template injection in the Copyright plugin | HIGH | 7.8 | — | 3.3% | May 29, 2026 | |
| CVE-2026-49381 | In JetBrains TeamCity before 2026.1 stored XSS on the SAML login page was possible | MEDIUM | 4.8 | — | 10.6% | May 29, 2026 | |
| CVE-2026-49380 | In JetBrains TeamCity before 2026.1 open redirect in the SAML plugin was possible | MEDIUM | 6.1 | — | 6.0% | May 29, 2026 | |
| CVE-2026-49379 | In JetBrains TeamCity before 2026.1 credentials could be exposed in thread names | MEDIUM | 6.5 | — | 15.9% | May 29, 2026 | |
| CVE-2026-49378 | In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion | MEDIUM | 4.3 | — | 11.3% | May 29, 2026 | |
| CVE-2026-49377 | In JetBrains TeamCity before 2025.11.2 exposure of sensitive data via default agent parameters | MEDIUM | 4.3 | — | 47.3% | May 29, 2026 | |
| CVE-2026-49376 | In JetBrains TeamCity before 2026.1 insufficient username validation in the SAML plugin | MEDIUM | 6.5 | — | 10.9% | May 29, 2026 | |
| CVE-2026-49375 | In JetBrains TeamCity before 2026.1,
2025.11.5 reflected XSS was possible on the repository download page | MEDIUM | 6.1 | — | 11.8% | May 29, 2026 | |
| CVE-2026-49374 | In JetBrains TeamCity before 2026.1 improper permission checks exposed build configuration parameters | HIGH | 7.6 | — | 13.2% | May 29, 2026 | |
| CVE-2026-49373 | In JetBrains TeamCity before 2026.1 remote code execution was possible via Perforce connection settings | HIGH | 8.8 | — | 32.9% | May 29, 2026 | |
| CVE-2026-49372 | In JetBrains TeamCity before 2026.1,
2025.11.5 unauthenticated SSRF via build status was possible | HIGH | 7.5 | — | 20.4% | May 29, 2026 | |
| CVE-2026-49371 | In JetBrains TeamCity before 2026.1.1 reflected XSS in the keyword filter was possible | HIGH | 8.2 | — | 16.5% | May 29, 2026 | |
| CVE-2026-49370 | In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests | HIGH | 7.5 | — | 13.7% | May 29, 2026 | |
| CVE-2026-49369 | In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages | MEDIUM | 4.3 | — | 9.6% | May 29, 2026 | |
| CVE-2026-49368 | In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible | MEDIUM | 5.4 | — | 9.8% | May 29, 2026 | |
| CVE-2026-49367 | In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account | HIGH | 8.8 | — | 24.9% | May 29, 2026 | |