CVE-2026-25847 – A DOM-based cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2026-25847?

CVE-2026-25847 has a CVSS score of 8.2 (HIGH). A DOM-based cross-site scripting (XSS) vulnerability in JetBrains PyCharm's Jupyter viewer page allows attackers to execute arbitrary JavaScript in the context of the user's browser session. This affects users of PyCharm versions before 2025.3.2 who use the Jupyter notebook integration feature.

📋 TL;DR

A DOM-based cross-site scripting (XSS) vulnerability in JetBrains PyCharm's Jupyter viewer page allows attackers to execute arbitrary JavaScript in the context of the user's browser session. This affects users of PyCharm versions before 2025.3.2 who use the Jupyter notebook integration feature.

💻 Affected Systems

Products:

JetBrains PyCharm Professional Edition
JetBrains PyCharm Community Edition

Versions: All versions before 2025.3.2

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who utilize the Jupyter notebook viewer functionality within PyCharm.

📦 What is this software?

Pycharm by Jetbrains

View all CVEs affecting Pycharm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account compromise via session hijacking, data theft, or malware delivery through the IDE interface.

🟠

Likely Case

Session hijacking leading to unauthorized access to Jupyter notebooks, source code repositories, or IDE settings.

🟢

If Mitigated

Limited impact if user runs PyCharm in isolated environments without sensitive data access.

🌐 Internet-Facing: LOW (PyCharm is typically desktop software, not directly internet-exposed)

🏢 Internal Only: MEDIUM (Requires user interaction with malicious content within the IDE)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to open or interact with a malicious Jupyter notebook file within PyCharm.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.3.2 or later

Vendor Advisory: https://www.jetbrains.com/privacy-security/issues-fixed/

Restart Required: Yes

Instructions:

1. Open PyCharm. 2. Go to Help > Check for Updates. 3. Install update to version 2025.3.2 or later. 4. Restart PyCharm.

🔧 Temporary Workarounds

Disable Jupyter Integration

all

Temporarily disable Jupyter notebook support in PyCharm settings

Settings/Preferences > Tools > Jupyter > Uncheck 'Enable Jupyter notebook support'

Use External Jupyter

all

Use standalone Jupyter applications instead of PyCharm's integrated viewer

🧯 If You Can't Patch

Restrict PyCharm to opening only trusted Jupyter notebook files from verified sources
Run PyCharm in a sandboxed or isolated environment without access to sensitive credentials

🔍 How to Verify

Check if Vulnerable:

Check PyCharm version in Help > About. If version is below 2025.3.2, you are vulnerable.

Check Version:

Help > About (GUI only, no CLI command)

Verify Fix Applied:

After updating, verify version is 2025.3.2 or higher in Help > About.

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript execution in PyCharm logs
Unexpected network requests from PyCharm process

Network Indicators:

Suspicious outbound connections from PyCharm to unexpected domains

SIEM Query:

process: 'pycharm.exe' OR 'pycharm' AND (event: 'script_execution' OR network.destination: suspicious_domain)

📊 Metadata

CVE ID: CVE-2026-25847

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

CWE: CWE-79

EPSS Score: 0% exploit probability (0.1th percentile)

Published: February 9, 2026

Last Updated: February 18, 2026

🔗 References

https://www.jetbrains.com/privacy-security/issues-fixed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25847, you might also want to check these: