Severity by source
Sources disagree (Low–Critical)AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable bridge but exploitation needs a crafted prototype-polluting payload (AC:H) and access to sandbox features likely behind a login (PR:L); SSVC 'partial' impact and the info-disclosure tag justify C:L/I:L/A:N.
vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack
AnalysisAI
Prototype pollution in JetBrains YouTrack's websandbox bridge (all versions before 2026.2.16593) lets an attacker who can reach the sandbox boundary corrupt JavaScript Object.prototype, potentially escaping the sandbox or disclosing information. The flaw was internally reported by JetBrains and classed as CWE-1321; it carries a vendor-published CVSS of 9.8, but no public exploit has been identified at time of analysis and EPSS rates exploitation probability low at 0.40% (32nd percentile).
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to send attacker-controlled object data into the YouTrack websandbox bridge - i.e., the deployment must expose the sandboxed scripting/workflow/widget functionality that uses this bridge, and the attacker must supply a payload carrying prototype-polluting keys ('__proto__', 'constructor', 'prototype'). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals here conflict and should temper the headline severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can submit input that reaches the YouTrack websandbox bridge - for example via a crafted workflow/widget payload or sandboxed-script interaction - sends an object containing '__proto__'/'constructor' keys that the bridge merges without sanitization. The polluted prototype then corrupts downstream object handling, enabling information disclosure across the sandbox boundary or altered application behavior. … |
| Remediation | Vendor-released patch: 2026.2.16593 - upgrade JetBrains YouTrack to version 2026.2.16593 or later, which remediates the websandbox bridge prototype pollution; this is the primary and recommended fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Enumerate all YouTrack instances and document current versions across development, staging, and production environments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Prototype Pollution
View allPrototype pollution in Adobe Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier enables arbitrary code execu
Prototype pollution in the farinspace Partners WordPress plugin (versions up to and including 0.2.0) enables remote unau
Prototype pollution vulnerability in 'deephas' versions 1.0.0 through 1.0.5 allows attacker to cause a denial of service
A Prototype Pollution issue in Cronvel Tree-kit v.0.7.4 and before allows a remote attacker to execute arbitrary code vi
A Prototype Pollution issue in Aliconnect /sdk v.0.0.6 allows an attacker to execute arbitrary code via the aim function
All versions of the package safe-eval are vulnerable to Prototype Pollution via the safeEval function, due to improper s
This affects the package vm2 before 3.9.4 via a Prototype Pollution attack vector, which can lead to execution of arbitr
Prototype Pollution in chargeover redoc v2.0.9-rc.69 allows attackers to execute arbitrary code or cause a Denial of Ser
alizeait unflatto <= 1.0.2 was discovered to contain a prototype pollution via the method exports.unflatto at /dist/inde
A vulnerability exists in the 'dagre-d3-es' Node.js package version 7.0.9, specifically within the 'bk' module's addConf
A Prototype Pollution vulnerability in the util-deps.addFileDepend function of magix-combine-ex versions thru 1.2.10 all
Chartist 1.x through 1.3.0 allows Prototype Pollution via the extend function. Rated critical severity (CVSS 9.8), this
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39658