Skip to main content

JetBrains YouTrack CVE-2026-57926

| EUVDEUVD-2026-39658 CRITICAL
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) (CWE-1321)
2026-06-26 JetBrains
Critical
Disputed · 9.8 NVD
Share

Severity by source

Sources disagree (Low–Critical)
Vendor (JetBrains) PRIMARY
LOW
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
4.2 MEDIUM

Network-reachable bridge but exploitation needs a crafted prototype-polluting payload (AC:H) and access to sandbox features likely behind a login (PR:L); SSVC 'partial' impact and the info-disclosure tag justify C:L/I:L/A:N.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jun 27, 2026 - 18:58 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 27, 2026 - 18:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 27, 2026 - 18:52 vuln.today
cvss_changed
Severity Changed
Jun 27, 2026 - 18:52 NVD
LOW CRITICAL
CVSS changed
Jun 27, 2026 - 18:52 NVD
2.6 (LOW) 9.8 (CRITICAL)
Patch available
Jun 26, 2026 - 15:01 EUVD
Analysis Generated
Jun 26, 2026 - 13:51 vuln.today

DescriptionNVD

In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack

AnalysisAI

Prototype pollution in JetBrains YouTrack's websandbox bridge (all versions before 2026.2.16593) lets an attacker who can reach the sandbox boundary corrupt JavaScript Object.prototype, potentially escaping the sandbox or disclosing information. The flaw was internally reported by JetBrains and classed as CWE-1321; it carries a vendor-published CVSS of 9.8, but no public exploit has been identified at time of analysis and EPSS rates exploitation probability low at 0.40% (32nd percentile).

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach YouTrack websandbox bridge
Delivery
Submit object with __proto__ keys
Exploit
Pollute Object.prototype
Execution
Corrupt downstream property handling
Impact
Disclose data or escape sandbox

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to send attacker-controlled object data into the YouTrack websandbox bridge - i.e., the deployment must expose the sandboxed scripting/workflow/widget functionality that uses this bridge, and the attacker must supply a payload carrying prototype-polluting keys ('__proto__', 'constructor', 'prototype'). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals here conflict and should temper the headline severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can submit input that reaches the YouTrack websandbox bridge - for example via a crafted workflow/widget payload or sandboxed-script interaction - sends an object containing '__proto__'/'constructor' keys that the bridge merges without sanitization. The polluted prototype then corrupts downstream object handling, enabling information disclosure across the sandbox boundary or altered application behavior. …
Remediation Vendor-released patch: 2026.2.16593 - upgrade JetBrains YouTrack to version 2026.2.16593 or later, which remediates the websandbox bridge prototype pollution; this is the primary and recommended fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Enumerate all YouTrack instances and document current versions across development, staging, and production environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-34621 HIGH POC
8.6 Apr 11

Prototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu

CVE-2024-56059 CRITICAL
9.8 Dec 18

Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau

CVE-2020-28271 CRITICAL POC
9.8 Nov 12

Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service

CVE-2023-38894 CRITICAL POC
9.8 Aug 16

A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi

CVE-2024-24292 CRITICAL POC
9.8 Mar 28

A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function

CVE-2023-26121 CRITICAL POC
10.0 Apr 11

All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s

CVE-2021-23449 CRITICAL POC
10.0 Oct 18

This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr

CVE-2024-39011 CRITICAL POC
9.8 Jul 30

Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser

CVE-2024-38988 CRITICAL POC
9.8 Mar 28

alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde

CVE-2025-57347 CRITICAL POC
9.8 Sep 24

A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf

CVE-2025-57321 CRITICAL POC
9.8 Sep 24

A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all

CVE-2024-45435 CRITICAL POC
9.8 Aug 29

Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this

Share

CVE-2026-57926 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy