PyCharm: stored XSS via Jupyter Markdown cells — MEDIUM (CVE-2026-49384)

Q: Is CVE-2026-49384 actively exploited?

No confirmed active exploitation of CVE-2026-49384 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-49384?

1. Patch: Upgrade JetBrains PyCharm to version 2025.3.4 or later (vendor advisory: jetbrains.com/privacy-security/issues-fixed/). 2. Workaround: Until patching, restrict opening Jupyter notebooks from external, unverified, or untrusted sources in PyCharm. 3. Pipeline control: Integrate notebook sanitization (nbstripout, nbconvert output stripping) and static XSS scanning in CI/CD pipelines before notebooks are merged to shared repositories. 4. Credential hygiene: Rotate any AI service API keys, cloud credentials, or session tokens that may have been present in PyCharm's environment if compromise is suspected. 5. Detection: Monitor for anomalous network connections originating from PyCharm processes; review IDE logs for unexpected script execution after notebook opens.

Q: What systems are affected by CVE-2026-49384?

This vulnerability affects the following AI/ML architecture patterns: ML development environments, Jupyter notebook workflows, Training pipelines, Model development environments.

Q: What is the CVSS score for CVE-2026-49384?

CVE-2026-49384 has a CVSS v3.1 base score of 6.1 (MEDIUM).

CISO Take

JetBrains PyCharm versions before 2025.3.4 contain a stored XSS vulnerability in the IDE's Jupyter notebook Markdown renderer, allowing an attacker to embed malicious scripts in notebook cells that execute silently when a developer opens the file. For AI/ML teams, this is a meaningful risk because Jupyter notebooks are first-class artifacts routinely shared via Git repositories, model hubs, and collaboration tools — a single crafted notebook reaching a developer's workstation can steal API keys (OpenAI, HuggingFace, cloud providers), session tokens, or environment variables stored in the IDE context. No public exploits exist and the vulnerability is absent from CISA KEV, making opportunistic mass exploitation unlikely, but the low attack complexity (AC:L, no privileges required, scoped impact S:C) keeps the barrier low for targeted supply chain or social engineering scenarios. Teams should update PyCharm to 2025.3.4 immediately and enforce policies against opening notebooks from unreviewed or external sources.

Sources: NVD ATLAS jetbrains.com

What is the risk?

Medium risk overall, elevated for organizations with active Jupyter notebook sharing workflows. CVSS 6.1 (S:C/C:L/I:L/A:N) reflects scoped impact and mandatory user interaction, which prevents automated propagation. However, the stored nature of the XSS means the payload persists in the notebook file itself and can propagate through version control systems, CI pipelines, and model sharing platforms — significantly broadening reach beyond a single-user exploit. Attack complexity is low and no attacker privileges are required, making it accessible to moderately skilled adversaries. No EPSS data available; not in CISA KEV; no scanner templates or public proof-of-concept. Risk is primarily realized in collaborative AI/ML development environments where notebook sharing is routine.

Attack Kill Chain

Artifact Weaponization

Adversary crafts a Jupyter notebook with a stored XSS payload embedded in a Markdown cell, disguised as legitimate documentation, model card, or example code.

AML.T0011.000

Delivery via Notebook Sharing

Malicious notebook is distributed through a public GitHub repository, model hub, or direct file transfer targeting ML developers known to use PyCharm.

AML.T0095.000

XSS Execution in IDE

Developer opens the notebook in PyCharm < 2025.3.4; the stored XSS triggers in the Markdown renderer, executing attacker-controlled JavaScript within the IDE context.

AML.T0049

Credential Exfiltration

Executed script harvests AI service API keys, cloud credentials, and session tokens from the developer's environment and exfiltrates them to an attacker-controlled endpoint.

AML.T0025

Artifact Weaponization

Adversary crafts a Jupyter notebook with a stored XSS payload embedded in a Markdown cell, disguised as legitimate documentation, model card, or example code.

AML.T0011.000

Delivery via Notebook Sharing

Malicious notebook is distributed through a public GitHub repository, model hub, or direct file transfer targeting ML developers known to use PyCharm.

AML.T0095.000

XSS Execution in IDE

Developer opens the notebook in PyCharm < 2025.3.4; the stored XSS triggers in the Markdown renderer, executing attacker-controlled JavaScript within the IDE context.

AML.T0049

Credential Exfiltration

Executed script harvests AI service API keys, cloud credentials, and session tokens from the developer's environment and exfiltrates them to an attacker-controlled endpoint.

AML.T0025

Severity & Risk

CVSS 3.1

6.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI Required

S Changed

C Low

I Low

A None

What should I do?

5 steps

Patch: Upgrade JetBrains PyCharm to version 2025.3.4 or later (vendor advisory: jetbrains.com/privacy-security/issues-fixed/).
Workaround: Until patching, restrict opening Jupyter notebooks from external, unverified, or untrusted sources in PyCharm.
Pipeline control: Integrate notebook sanitization (nbstripout, nbconvert output stripping) and static XSS scanning in CI/CD pipelines before notebooks are merged to shared repositories.
Credential hygiene: Rotate any AI service API keys, cloud credentials, or session tokens that may have been present in PyCharm's environment if compromise is suspected.
Detection: Monitor for anomalous network connections originating from PyCharm processes; review IDE logs for unexpected script execution after notebook opens.

Classification

Supply Chain Data Extraction Code Execution Framework API AML.T0011.000 - Unsafe AI Artifacts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.2 - Roles and responsibilities for AI system security

NIST AI RMF

GOVERN 1.1 - Policies, processes, and practices for AI risk management

OWASP LLM Top 10

LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2026-49384?

JetBrains PyCharm versions before 2025.3.4 contain a stored XSS vulnerability in the IDE's Jupyter notebook Markdown renderer, allowing an attacker to embed malicious scripts in notebook cells that execute silently when a developer opens the file. For AI/ML teams, this is a meaningful risk because Jupyter notebooks are first-class artifacts routinely shared via Git repositories, model hubs, and collaboration tools — a single crafted notebook reaching a developer's workstation can steal API keys (OpenAI, HuggingFace, cloud providers), session tokens, or environment variables stored in the IDE context. No public exploits exist and the vulnerability is absent from CISA KEV, making opportunistic mass exploitation unlikely, but the low attack complexity (AC:L, no privileges required, scoped impact S:C) keeps the barrier low for targeted supply chain or social engineering scenarios. Teams should update PyCharm to 2025.3.4 immediately and enforce policies against opening notebooks from unreviewed or external sources.

Is CVE-2026-49384 actively exploited?

No confirmed active exploitation of CVE-2026-49384 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-49384?

1. Patch: Upgrade JetBrains PyCharm to version 2025.3.4 or later (vendor advisory: jetbrains.com/privacy-security/issues-fixed/). 2. Workaround: Until patching, restrict opening Jupyter notebooks from external, unverified, or untrusted sources in PyCharm. 3. Pipeline control: Integrate notebook sanitization (nbstripout, nbconvert output stripping) and static XSS scanning in CI/CD pipelines before notebooks are merged to shared repositories. 4. Credential hygiene: Rotate any AI service API keys, cloud credentials, or session tokens that may have been present in PyCharm's environment if compromise is suspected. 5. Detection: Monitor for anomalous network connections originating from PyCharm processes; review IDE logs for unexpected script execution after notebook opens.

What systems are affected by CVE-2026-49384?

This vulnerability affects the following AI/ML architecture patterns: ML development environments, Jupyter notebook workflows, Training pipelines, Model development environments.

What is the CVSS score for CVE-2026-49384?

CVE-2026-49384 has a CVSS v3.1 base score of 6.1 (MEDIUM).

AI Security Impact

Affected AI Architectures

ML development environmentsJupyter notebook workflowsTraining pipelinesModel development environments

MITRE ATLAS Techniques

AML.T0011.000 Unsafe AI Artifacts

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.2

NIST AI RMF: GOVERN 1.1

OWASP LLM Top 10: LLM02

Technical Details

Original Advisory

In JetBrains PyCharm before 2025.3.4 stored XSS in Jupyter notebook Markdown cells was possible

Exploitation Scenario

An adversary targeting an AI/ML development team publishes a Jupyter notebook on GitHub as a 'pre-trained LLM fine-tuning example' or shares it directly via Slack as onboarding material. The notebook contains a stored XSS payload embedded within a Markdown cell — invisible to casual review and disguised as a heading or documentation block. When a developer using PyCharm < 2025.3.4 opens the notebook, the payload executes within PyCharm's rendering context, silently harvesting the developer's OpenAI/Anthropic API keys, HuggingFace tokens, and any AWS/GCP credentials present as environment variables. These credentials are exfiltrated to an attacker-controlled server, enabling access to the organization's ML training infrastructure and model registries.