Youtrack
Sign in to watchby Jetbrains
CVEs (48)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33392 | Hig | 0.47 | 7.2 | 0.00 | Apr 17, 2026 | In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass | |
| CVE-2024-50582 | 0.02 | — | 0.22 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements | ||
| CVE-2024-50581 | 0.02 | — | 0.22 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag | ||
| CVE-2024-50580 | 0.02 | — | 0.24 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule | ||
| CVE-2024-50578 | 0.02 | — | 0.22 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page | ||
| CVE-2024-50576 | 0.02 | — | 0.22 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest | ||
| CVE-2024-50579 | 0.01 | — | 0.08 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible | ||
| CVE-2024-50577 | 0.01 | — | 0.17 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings | ||
| CVE-2024-50575 | 0.01 | — | 0.08 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API | ||
| CVE-2026-28193 | 0.00 | — | 0.00 | Feb 25, 2026 | In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint | ||
| CVE-2026-25846 | 0.00 | — | 0.00 | Feb 9, 2026 | In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs | ||
| CVE-2025-64773 | 0.00 | — | 0.00 | Nov 11, 2025 | In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit | ||
| CVE-2025-64685 | 0.00 | — | 0.00 | Nov 10, 2025 | In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure | ||
| CVE-2025-64684 | 0.00 | — | 0.00 | Nov 10, 2025 | In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form | ||
| CVE-2025-57731 | 0.00 | — | 0.00 | Aug 20, 2025 | In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content | ||
| CVE-2025-54527 | 0.00 | — | 0.00 | Jul 28, 2025 | In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions | ||
| CVE-2025-53959 | 0.00 | — | 0.00 | Jul 15, 2025 | In JetBrains YouTrack before 2025.2.86069, 2024.3.85077, 2025.1.86199 email spoofing via an administrative API was possible | ||
| CVE-2025-47850 | 0.00 | — | 0.00 | May 20, 2025 | In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning | ||
| CVE-2025-48391 | 0.00 | — | 0.00 | May 20, 2025 | In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API | ||
| CVE-2025-24458 | 0.00 | — | 0.00 | Jan 21, 2025 | In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration |
Page 1 of 3