CVE-2026-25847 is a DOM-based Cross-Site Scripting (XSS) vulnerability classified under CWE-79, discovered in JetBrains PyCharm before version 2025.3.2. The flaw exists on the Jupyter viewer page, where user-supplied input is improperly sanitized or escaped before being inserted into the Document Object Model (DOM). This improper handling allows attackers to inject malicious JavaScript code that executes in the context of the victim's browser session when they interact with the affected page. The vulnerability does not require authentication but does require user interaction, such as opening or viewing a maliciously crafted Jupyter notebook or URL. The CVSS v3.1 base score is 8.2, indicating a high severity level, with vector metrics AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L. This means the attack is network exploitable but requires high attack complexity and user interaction, with no privileges required. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component, impacting confidentiality and integrity at a high level and availability at a low level. No public exploits have been reported yet, but the vulnerability poses a significant risk given PyCharm's popularity among developers for Python and Jupyter notebook development. The lack of a patch link in the provided data suggests users should monitor JetBrains advisories closely and update promptly once patches are available.

The vulnerability could allow attackers to execute arbitrary scripts in the context of the PyCharm Jupyter viewer, potentially leading to theft of sensitive information such as credentials, tokens, or intellectual property contained within notebooks. It could also enable attackers to manipulate notebook content or perform actions on behalf of the user, undermining data integrity. Although availability impact is low, successful exploitation could disrupt developer workflows or lead to further compromise of development environments. Organizations relying on PyCharm for data science, machine learning, or software development may face increased risk of targeted attacks, especially in environments where notebooks are shared or accessed remotely. The high severity and scope change imply that the vulnerability could be leveraged to pivot attacks beyond the immediate application context, increasing the risk of broader compromise.

The primary mitigation is to upgrade JetBrains PyCharm to version 2025.3.2 or later as soon as the patch is released. Until then, organizations should restrict access to the Jupyter viewer page, especially from untrusted networks or users. Implement strict input validation and sanitization on any user-supplied data that may be rendered in the Jupyter viewer context. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts. Educate users about the risks of opening untrusted Jupyter notebooks or links within PyCharm. Monitor network traffic and application logs for suspicious activity indicative of attempted exploitation. Consider isolating development environments or using sandboxing techniques to limit the impact of potential XSS attacks. Regularly review JetBrains security advisories for updates or additional mitigations.