CVE-2026-25848

Published Feb 9, 2026

Last updated 21 days ago

CVSS critical 9.1

Overview

Description
In JetBrains Hub before 2025.3.119807 authentication bypass allowing administrative actions was possible
Source
cve@jetbrains.com
NVD status
Analyzed
Products
hub

Risk scores

CVSS 3.1

Type
Primary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

cve@jetbrains.com
CWE-306

Social media

Hype score
Not currently trending

Configurations

Related CVEs

  1. Insecure permissions in Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows authenticated attackers with low-level privileges to access other users' information via a crafted API request.CVE-2025-65784
  2. An arbitrary file upload vulnerability in the /utils/uploadFile component of Hubert Imoveis e Administracao Ltda Hub v2.0 1.27.3 allows attackers to execute arbitrary code via uploading a crafted PDF file.CVE-2025-65783
  3. In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users APICVE-2025-64683
  4. In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limitCVE-2025-64682
  5. In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitationsCVE-2025-64681

References

Sources include official advisories and independent security research.