CVE-2026-25847

High

Published: 09 February 2026

Published

09 February 2026

Modified

18 February 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L

EPSS Score 0.0001 0.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25847 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Jetbrains Pycharm. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of flaws like the DOM-based XSS in PyCharm's Jupyter viewer through patching to version 2025.3.2 or later.

SI-15 Information Output Filtering good match

prevent

Requires filtering of information outputs in the Jupyter viewer page to block malicious script injection from crafted notebooks or URLs.

SI-10 Information Input Validation partial match

prevent

Enforces validation of inputs to the Jupyter viewer to mitigate malicious payloads that could trigger DOM-based XSS execution.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

DOM-based XSS directly enables JavaScript execution (T1059.007) in the Jupyter viewer; triggered by user opening malicious notebook/URL (T1204.001/002); facilitates stealing session tokens/cookies (T1539).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In JetBrains PyCharm before 2025.3.2 a DOM-based XSS on Jupyter viewer page was possible

Deeper analysisAI

CVE-2026-25847 is a DOM-based cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting JetBrains PyCharm versions prior to 2025.3.2. The issue resides specifically in the Jupyter viewer page, where malicious input could lead to script execution in the victim's browser context. Published on 2026-02-09, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L), indicating high severity due to its potential for significant data exposure and manipulation.

Remote attackers can exploit this vulnerability over the network without requiring privileges, though it demands high attack complexity and user interaction, such as a victim opening a maliciously crafted Jupyter notebook or URL in the viewer. Upon successful exploitation, the changed scope allows attackers to achieve high confidentiality and integrity impacts—such as stealing sensitive data like session tokens or modifying page content—while causing only low availability disruption.

JetBrains has mitigated the vulnerability in PyCharm 2025.3.2, with details available on their issues fixed page at https://www.jetbrains.com/privacy-security/issues-fixed/. Security practitioners should ensure users upgrade to this version or later to prevent exploitation.