Youtrack
by Jetbrains
CVEs (114)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-54527 | 0.00 | — | 0.00 | Jul 28, 2025 | In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions | |||
| CVE-2025-53959 | 0.00 | — | 0.00 | Jul 15, 2025 | In JetBrains YouTrack before 2025.2.86069, 2024.3.85077, 2025.1.86199 email spoofing via an administrative API was possible | |||
| CVE-2025-47850 | 0.00 | — | 0.00 | May 20, 2025 | In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning | |||
| CVE-2025-48391 | 0.00 | — | 0.00 | May 20, 2025 | In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API | |||
| CVE-2025-24458 | 0.00 | — | 0.00 | Jan 21, 2025 | In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration | |||
| CVE-2025-24457 | 0.00 | — | 0.01 | Jan 21, 2025 | In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs | |||
| CVE-2024-54158 | 0.00 | — | 0.00 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding | |||
| CVE-2024-54157 | 0.00 | — | 0.01 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector | |||
| CVE-2024-54156 | 0.00 | — | 0.00 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack | |||
| CVE-2024-54155 | 0.00 | — | 0.00 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication | |||
| CVE-2024-54154 | 0.00 | — | 0.01 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox | |||
| CVE-2024-54153 | 0.00 | — | 0.00 | Dec 4, 2024 | In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter | |||
| CVE-2024-50574 | 0.00 | — | 0.01 | Oct 28, 2024 | In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality | |||
| CVE-2024-49579 | 0.00 | — | 0.00 | Oct 17, 2024 | In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests | |||
| CVE-2024-48902 | 0.00 | — | 0.00 | Oct 10, 2024 | In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API | |||
| CVE-2024-47162 | 0.00 | — | 0.00 | Sep 19, 2024 | In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page | |||
| CVE-2024-47160 | 0.00 | — | 0.00 | Sep 19, 2024 | In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible | |||
| CVE-2024-47159 | 0.00 | — | 0.00 | Sep 19, 2024 | In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project | |||
| CVE-2024-38506 | 0.00 | — | 0.00 | Jun 18, 2024 | In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows | |||
| CVE-2024-38505 | 0.00 | — | 0.00 | Jun 18, 2024 | In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site |
- CVE-2025-54527Jul 28, 2025risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions
- CVE-2025-53959Jul 15, 2025risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2025.2.86069, 2024.3.85077, 2025.1.86199 email spoofing via an administrative API was possible
- CVE-2025-47850May 20, 2025risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning
- CVE-2025-48391May 20, 2025risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API
- CVE-2025-24458Jan 21, 2025risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration
- CVE-2025-24457Jan 21, 2025risk 0.00cvss —epss 0.01
In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs
- CVE-2024-54158Dec 4, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding
- CVE-2024-54157Dec 4, 2024risk 0.00cvss —epss 0.01
In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
- CVE-2024-54156Dec 4, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack
- CVE-2024-54155Dec 4, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
- CVE-2024-54154Dec 4, 2024risk 0.00cvss —epss 0.01
In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox
- CVE-2024-54153Dec 4, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter
- CVE-2024-50574Oct 28, 2024risk 0.00cvss —epss 0.01
In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality
- CVE-2024-49579Oct 17, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests
- CVE-2024-48902Oct 10, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API
- CVE-2024-47162Sep 19, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
- CVE-2024-47160Sep 19, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
- CVE-2024-47159Sep 19, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
- CVE-2024-38506Jun 18, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
- CVE-2024-38505Jun 18, 2024risk 0.00cvss —epss 0.00
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
Page 2 of 6