Youtrack
by Jetbrains
CVEs (114)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-49368 | Hig | 0.57 | 8.7 | 0.00 | May 29, 2026 | In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible | ||
| CVE-2026-33392 | Hig | 0.47 | 7.2 | 0.00 | Apr 17, 2026 | In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass | ||
| CVE-2026-49386 | Med | 0.42 | 6.5 | 0.00 | May 29, 2026 | In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas | ||
| CVE-2026-49385 | Med | 0.42 | 6.5 | 0.00 | May 29, 2026 | In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts | ||
| CVE-2026-49369 | Med | 0.28 | 4.3 | 0.00 | May 29, 2026 | In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages | ||
| CVE-2026-49370 | Low | 0.22 | 3.4 | 0.00 | May 29, 2026 | In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests | ||
| CVE-2024-50582 | 0.02 | — | 0.00 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements | |||
| CVE-2024-50581 | 0.02 | — | 0.00 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag | |||
| CVE-2024-50580 | 0.02 | — | 0.00 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule | |||
| CVE-2024-50578 | 0.02 | — | 0.00 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page | |||
| CVE-2024-50576 | 0.02 | — | 0.00 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest | |||
| CVE-2024-50579 | 0.01 | — | 0.00 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible | |||
| CVE-2024-50577 | 0.01 | — | 0.00 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings | |||
| CVE-2024-50575 | 0.01 | — | 0.00 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API | |||
| CVE-2026-28193 | 0.00 | — | 0.00 | Feb 25, 2026 | In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint | |||
| CVE-2026-25846 | 0.00 | — | 0.01 | Feb 9, 2026 | In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs | |||
| CVE-2025-64773 | 0.00 | — | 0.00 | Nov 11, 2025 | In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit | |||
| CVE-2025-64685 | 0.00 | — | 0.00 | Nov 10, 2025 | In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure | |||
| CVE-2025-64684 | 0.00 | — | 0.00 | Nov 10, 2025 | In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form | |||
| CVE-2025-57731 | 0.00 | — | 0.00 | Aug 20, 2025 | In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content |
- risk 0.57cvss 8.7epss 0.00
In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
- risk 0.47cvss 7.2epss 0.00
In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass
- risk 0.42cvss 6.5epss 0.00
In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
- risk 0.42cvss 6.5epss 0.00
In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
- risk 0.28cvss 4.3epss 0.00
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
- risk 0.22cvss 3.4epss 0.00
In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
- CVE-2024-50582Oct 28, 2024risk 0.02cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
- CVE-2024-50581Oct 28, 2024risk 0.02cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag
- CVE-2024-50580Oct 28, 2024risk 0.02cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
- CVE-2024-50578Oct 28, 2024risk 0.02cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page
- CVE-2024-50576Oct 28, 2024risk 0.02cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest
- CVE-2024-50579Oct 28, 2024risk 0.01cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
- CVE-2024-50577Oct 28, 2024risk 0.01cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings
- CVE-2024-50575Oct 28, 2024risk 0.01cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API
- CVE-2026-28193Feb 25, 2026risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
- CVE-2026-25846Feb 9, 2026risk 0.00cvss —epss 0.01
In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
- CVE-2025-64773Nov 11, 2025risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit
- CVE-2025-64685Nov 10, 2025risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
- CVE-2025-64684Nov 10, 2025risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
- CVE-2025-57731Aug 20, 2025risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content
Page 1 of 6