Skip to main content

Youtrack

113 CVEs product

Monthly

CVE-2026-62422 CRITICAL PATCH Act Now

Authentication bypass in JetBrains YouTrack allows attackers to obtain full administrative access by leveraging a direct-database-access code path, per CWE-306 (missing authentication for a critical function). All self-hosted YouTrack builds prior to the 2026.1.13757 / 2025.3.148033 / 2025.2.148048 / 2025.1.148120 / 2024.3.148430 / 2024.2.148429 fix trains are affected, and JetBrains rates it CVSS 10.0. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the maximal severity score and administrative impact make prompt patching essential.

Authentication Bypass Youtrack
NVD
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-61492 MEDIUM PATCH This Month

Stored XSS in JetBrains YouTrack before 2026.2.17394 allows low-privileged authenticated users to inject malicious scripts into article titles, which are then rendered unsanitized within digest emails delivered to other users. When a recipient opens the digest email in an HTML-capable client and interacts with the affected content, the injected script executes in their browser context, enabling session token or credential theft. No public exploit or active exploitation has been identified; the CVSS score of 3.5 (Low) reflects the constrained impact due to required authentication, mandatory user interaction, and limited confidentiality-only impact.

XSS Youtrack
NVD VulDB
CVSS 3.1
6.1
EPSS
0.4%
CVE-2026-59791 LOW PATCH Monitor

CSS injection via Mermaid diagram rendering in JetBrains YouTrack before version 2026.2.17012 permits authenticated low-privilege users to embed malicious CSS into diagram content that executes in the browsers of other users who view the affected page. The CVSS score of 3.5 (Low) reflects the dual gating conditions of required authentication and victim interaction, substantially constraining real-world impact to UI manipulation rather than data exfiltration or code execution. No public exploit code or active exploitation has been identified at time of analysis.

XSS Youtrack
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2026-57926 CRITICAL PATCH Act Now

Prototype pollution in JetBrains YouTrack's websandbox bridge (all versions before 2026.2.16593) lets an attacker who can reach the sandbox boundary corrupt JavaScript Object.prototype, potentially escaping the sandbox or disclosing information. The flaw was internally reported by JetBrains and classed as CWE-1321; it carries a vendor-published CVSS of 9.8, but no public exploit has been identified at time of analysis and EPSS rates exploitation probability low at 0.40% (32nd percentile).

Information Disclosure Prototype Pollution Youtrack
NVD VulDB
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-57925 MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before version 2026.2.16593 permits authenticated low-privileged users to read saved queries and tags outside their authorized scope. The flaw stems from missing authorization checks (CWE-862), meaning the application fails to verify whether the requesting user holds the required permissions before serving these resources over the network. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible nature of the issue means any authenticated user on an exposed YouTrack instance is a potential threat actor.

Authentication Bypass Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57924 MEDIUM PATCH This Month

Excessive user profile data disclosure in JetBrains YouTrack before 2026.2.16593 results from overly permissive default role configuration, allowing any authenticated low-privilege user to read more user profile attributes than intended. The root cause is CWE-276 (Incorrect Default Permissions), where the shipped default role grants broader read access to user directory data than the principle of least privilege requires. No public exploit or confirmed active exploitation exists at time of analysis.

Privilege Escalation Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-57923 HIGH PATCH This Week

Improper authorization in JetBrains YouTrack's app configurations endpoint lets remote attackers modify project settings they should not be permitted to change, affecting all versions before 2026.2.16593. The flaw (CWE-862, Missing Authorization) impacts integrity only - no data disclosure or service disruption - and was self-reported by JetBrains with a patch already available. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.16%, 5th percentile).

Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-57922 MEDIUM PATCH This Month

Project settings disclosure in JetBrains YouTrack before version 2026.2.16593 allows an authenticated low-privileged user to read project configuration data they are not authorized to access via the MCP (Model Context Protocol) integration. The root cause is a missing authorization check (CWE-862) on MCP-exposed endpoints, meaning the server returns project settings without validating the requesting user's project-level permissions. No public exploit has been identified at time of analysis, no KEV listing exists, and a vendor-released patch is available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-57921 HIGH PATCH This Week

Information disclosure in JetBrains YouTrack before 2026.2.16593 allows remote attackers to read other users' private data through a missing authorization check on the comment templates endpoint. The flaw is unauthenticated and network-reachable per the CVSS vector (PR:N), exposing confidential information without any user interaction. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.16%, 6th percentile).

Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-49386 MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before 2026.1.13570 permits any authenticated low-privileged user to enumerate restricted issues and articles through the Planning Canvas feature, exposing confidential project data they are not authorized to view. Rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), the flaw allows user-controlled identifiers to bypass access restrictions without proper authorization checks. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49385 MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before version 2026.1.13570 permits any low-privileged authenticated user to modify service accounts, an administrative operation that should be restricted to privileged roles. Rooted in CWE-862 (Missing Authorization), the flaw is exploitable over the network with low complexity, requiring no user interaction - meaning any valid account holder on an exposed instance can tamper with service account configurations. No public exploit or CISA KEV listing has been identified at time of analysis, but the integrity impact is rated high given the sensitivity of service account access in YouTrack deployments.

Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-49370 LOW PATCH Monitor

Information disclosure in JetBrains YouTrack before version 2026.1.13162 exposes sensitive data through fetchApp requests, exploitable by a high-privileged user with required interaction. The CVSS vector (PR:H/UI:R/S:C) indicates this requires an authenticated administrator-level account, some form of user interaction, and crosses a security scope boundary - meaning disclosed data may reach an unintended security context. No public exploit exists and no KEV listing is present; this is a low-severity (CVSS 3.4) internal information leakage issue most relevant to hardened or compliance-sensitive YouTrack deployments.

Information Disclosure Youtrack
NVD VulDB
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-49369 MEDIUM PATCH This Month

Information disclosure in JetBrains YouTrack before version 2026.1.13162 allows authenticated low-privilege users to access sensitive user and group membership data they are not authorized to view. Rooted in CWE-863 (Incorrect Authorization), the flaw exists on the Users and Groups administrative pages, where authorization checks are insufficiently enforced for authenticated sessions. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low access complexity means any authenticated attacker can reliably reproduce the condition.

Information Disclosure Authentication Bypass Youtrack
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-49368 HIGH PATCH This Week

Stored cross-site scripting in JetBrains YouTrack versions prior to 2026.1.13162 allows an authenticated project-level user to inject persistent JavaScript into project notification templates, which executes in the browsers of other users who receive or view those notifications. The scope-changed CVSS 8.7 reflects that injected scripts can pivot beyond the vulnerable component to compromise the sessions and data of higher-privileged recipients. No public exploit identified at time of analysis and no KEV listing, but the issue was disclosed and patched directly by the vendor.

XSS Youtrack
NVD VulDB
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-28193 HIGH This Week

Authenticated users in JetBrains YouTrack versions prior to 2025.3.121962 can bypass authorization controls to access the app permissions endpoint, potentially allowing privilege escalation or unauthorized modification of application settings. This vulnerability requires valid login credentials but has no complexity requirements, enabling attackers with low-level access to gain high-impact capabilities including confidentiality and integrity violations. No patch is currently available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25846 MEDIUM This Month

Youtrack versions up to 2025.3.119033 is affected by insertion of sensitive information into log file (CVSS 6.5).

Information Disclosure Youtrack
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-64773 LOW Monitor

In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Race Condition Authentication Bypass Youtrack
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-64685 HIGH This Month

In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-64684 MEDIUM Monitor

In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Authentication Bypass Youtrack
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-57731 HIGH This Month

In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
8.7
EPSS
0.0%
CVE-2025-48391 HIGH This Month

In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
7.7
EPSS
0.0%
CVE-2025-47850 MEDIUM Monitor

In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-24458 HIGH This Month

In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-24457 MEDIUM This Month

In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2024-54158 MEDIUM This Month

In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-54157 MEDIUM This Month

In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Youtrack
NVD
CVSS 3.1
6.5
EPSS
0.6%
CVE-2024-54156 MEDIUM This Month

In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Prototype Pollution Information Disclosure Youtrack
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2024-54155 MEDIUM This Month

In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-54154 CRITICAL Act Now

In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Youtrack
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2024-54153 MEDIUM This Month

In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-50582 MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-50581 MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-50580 MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-50579 MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-50578 MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-50577 MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-50576 MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.3%
CVE-2024-50575 MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2024-50574 HIGH This Week

In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Youtrack
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-49579 MEDIUM This Month

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
6.1
EPSS
0.4%
CVE-2024-48902 MEDIUM This Month

In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2024-47162 MEDIUM This Month

In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-47160 MEDIUM This Month

In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-47159 MEDIUM This Month

In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2024-38506 HIGH This Week

In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
8.1
EPSS
0.3%
CVE-2024-38505 HIGH This Week

In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2024-38504 MEDIUM This Month

In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.4%
CVE-2024-35299 HIGH This Week

In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-28230 MEDIUM This Month

In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-28229 MEDIUM This Month

In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
6.5
EPSS
0.5%
CVE-2024-28228 MEDIUM This Month

In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2024-22370 MEDIUM Monitor

In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
4.6
EPSS
0.1%
CVE-2023-50871 MEDIUM This Month

In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
CVSS 3.1
4.3
EPSS
0.4%
CVE-2023-38068 HIGH This Week

In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
7.3
EPSS
0.5%
CVE-2023-35054 MEDIUM This Month

In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
1.0%
CVE-2023-35053 HIGH This Week

In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Youtrack
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2022-28650 MEDIUM This Month

In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-28649 MEDIUM This Month

In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2022-28648 MEDIUM This Month

In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
1.3%
CVE-2022-24442 CRITICAL Act Now

JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Youtrack
NVD
CVSS 3.1
9.8
EPSS
3.6%
CVE-2022-24347 MEDIUM This Month

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-24344 MEDIUM This Month

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2022-24343 MEDIUM This Month

In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Youtrack
NVD
CVSS 3.1
4.3
EPSS
0.6%
CVE-2021-43186 MEDIUM This Month

JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2021-43185 CRITICAL Act Now

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Youtrack
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2021-43184 MEDIUM This Month

In JetBrains YouTrack before 2021.3.21051, stored XSS is possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-37554 MEDIUM This Month

In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
4.3
EPSS
0.9%
CVE-2021-37553 HIGH This Week

In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
7.5
EPSS
1.5%
CVE-2021-37552 MEDIUM This Month

In JetBrains YouTrack before 2021.2.17925, stored XSS was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-37551 MEDIUM This Month

In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2021-37550 HIGH This Week

In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-37549 CRITICAL Act Now

In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
9.1
EPSS
1.3%
CVE-2021-31905 HIGH This Week

In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
7.5
EPSS
1.9%
CVE-2021-31903 MEDIUM This Month

In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
6.1
EPSS
0.8%
CVE-2021-31902 HIGH This Week

In JetBrains YouTrack before 2020.6.6600, access control during the exporting of issues was implemented improperly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-27733 MEDIUM This Month

In JetBrains YouTrack before 2020.6.6441, stored XSS was possible via an issue attachment. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-25771 MEDIUM This Month

In JetBrains YouTrack before 2020.6.1099, project information could be potentially disclosed. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
4.3
EPSS
1.5%
CVE-2021-25770 CRITICAL Act Now

In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Youtrack
NVD
CVSS 3.1
9.8
EPSS
3.5%
CVE-2021-25769 HIGH This Week

In JetBrains YouTrack before 2020.4.6808, the YouTrack administrator wasn't able to access attachments. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2021-25768 MEDIUM This Month

In JetBrains YouTrack before 2020.4.4701, permissions for attachments actions were checked improperly. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
5.3
EPSS
1.2%
CVE-2021-25767 MEDIUM This Month

In JetBrains YouTrack before 2020.6.1767, an issue's existence could be disclosed via YouTrack command execution. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
5.3
EPSS
2.6%
CVE-2021-25766 MEDIUM This Month

In JetBrains YouTrack before 2020.4.4701, improper resource access checks were made. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
5.3
EPSS
1.4%
CVE-2021-25765 HIGH This Week

In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Youtrack
NVD
CVSS 3.1
8.8
EPSS
0.7%
CVE-2020-27626 MEDIUM This Month

JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Youtrack
NVD
CVSS 3.1
5.3
EPSS
1.3%
CVE-2020-27625 MEDIUM This Month

In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
5.3
EPSS
1.4%
CVE-2020-27624 MEDIUM This Month

JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Youtrack
NVD
CVSS 3.1
5.3
EPSS
1.4%
CVE-2020-25210 MEDIUM This Month

In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
5.3
EPSS
1.4%
CVE-2020-25209 HIGH This Week

In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
CVSS 3.1
7.5
EPSS
2.4%
CVE-2020-24366 LOW Monitor

Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure Youtrack
NVD
CVSS 3.1
3.3
EPSS
0.3%
CVE-2020-15822 HIGH This Week

In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Youtrack
NVD
CVSS 3.1
7.3
EPSS
1.4%
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Authentication bypass in JetBrains YouTrack allows attackers to obtain full administrative access by leveraging a direct-database-access code path, per CWE-306 (missing authentication for a critical function). All self-hosted YouTrack builds prior to the 2026.1.13757 / 2025.3.148033 / 2025.2.148048 / 2025.1.148120 / 2024.3.148430 / 2024.2.148429 fix trains are affected, and JetBrains rates it CVSS 10.0. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the maximal severity score and administrative impact make prompt patching essential.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in JetBrains YouTrack before 2026.2.17394 allows low-privileged authenticated users to inject malicious scripts into article titles, which are then rendered unsanitized within digest emails delivered to other users. When a recipient opens the digest email in an HTML-capable client and interacts with the affected content, the injected script executes in their browser context, enabling session token or credential theft. No public exploit or active exploitation has been identified; the CVSS score of 3.5 (Low) reflects the constrained impact due to required authentication, mandatory user interaction, and limited confidentiality-only impact.

XSS Youtrack
NVD VulDB
EPSS 0% CVSS 3.5
LOW PATCH Monitor

CSS injection via Mermaid diagram rendering in JetBrains YouTrack before version 2026.2.17012 permits authenticated low-privilege users to embed malicious CSS into diagram content that executes in the browsers of other users who view the affected page. The CVSS score of 3.5 (Low) reflects the dual gating conditions of required authentication and victim interaction, substantially constraining real-world impact to UI manipulation rather than data exfiltration or code execution. No public exploit code or active exploitation has been identified at time of analysis.

XSS Youtrack
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Prototype pollution in JetBrains YouTrack's websandbox bridge (all versions before 2026.2.16593) lets an attacker who can reach the sandbox boundary corrupt JavaScript Object.prototype, potentially escaping the sandbox or disclosing information. The flaw was internally reported by JetBrains and classed as CWE-1321; it carries a vendor-published CVSS of 9.8, but no public exploit has been identified at time of analysis and EPSS rates exploitation probability low at 0.40% (32nd percentile).

Information Disclosure Prototype Pollution Youtrack
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before version 2026.2.16593 permits authenticated low-privileged users to read saved queries and tags outside their authorized scope. The flaw stems from missing authorization checks (CWE-862), meaning the application fails to verify whether the requesting user holds the required permissions before serving these resources over the network. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, though the network-accessible nature of the issue means any authenticated user on an exposed YouTrack instance is a potential threat actor.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Excessive user profile data disclosure in JetBrains YouTrack before 2026.2.16593 results from overly permissive default role configuration, allowing any authenticated low-privilege user to read more user profile attributes than intended. The root cause is CWE-276 (Incorrect Default Permissions), where the shipped default role grants broader read access to user directory data than the principle of least privilege requires. No public exploit or confirmed active exploitation exists at time of analysis.

Privilege Escalation Youtrack
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper authorization in JetBrains YouTrack's app configurations endpoint lets remote attackers modify project settings they should not be permitted to change, affecting all versions before 2026.2.16593. The flaw (CWE-862, Missing Authorization) impacts integrity only - no data disclosure or service disruption - and was self-reported by JetBrains with a patch already available. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.16%, 5th percentile).

Authentication Bypass Youtrack
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Project settings disclosure in JetBrains YouTrack before version 2026.2.16593 allows an authenticated low-privileged user to read project configuration data they are not authorized to access via the MCP (Model Context Protocol) integration. The root cause is a missing authorization check (CWE-862) on MCP-exposed endpoints, meaning the server returns project settings without validating the requesting user's project-level permissions. No public exploit has been identified at time of analysis, no KEV listing exists, and a vendor-released patch is available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in JetBrains YouTrack before 2026.2.16593 allows remote attackers to read other users' private data through a missing authorization check on the comment templates endpoint. The flaw is unauthenticated and network-reachable per the CVSS vector (PR:N), exposing confidential information without any user interaction. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.16%, 6th percentile).

Authentication Bypass Youtrack
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before 2026.1.13570 permits any authenticated low-privileged user to enumerate restricted issues and articles through the Planning Canvas feature, exposing confidential project data they are not authorized to view. Rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), the flaw allows user-controlled identifiers to bypass access restrictions without proper authorization checks. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Youtrack
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper access control in JetBrains YouTrack before version 2026.1.13570 permits any low-privileged authenticated user to modify service accounts, an administrative operation that should be restricted to privileged roles. Rooted in CWE-862 (Missing Authorization), the flaw is exploitable over the network with low complexity, requiring no user interaction - meaning any valid account holder on an exposed instance can tamper with service account configurations. No public exploit or CISA KEV listing has been identified at time of analysis, but the integrity impact is rated high given the sensitivity of service account access in YouTrack deployments.

Authentication Bypass Youtrack
NVD VulDB
EPSS 0% CVSS 3.4
LOW PATCH Monitor

Information disclosure in JetBrains YouTrack before version 2026.1.13162 exposes sensitive data through fetchApp requests, exploitable by a high-privileged user with required interaction. The CVSS vector (PR:H/UI:R/S:C) indicates this requires an authenticated administrator-level account, some form of user interaction, and crosses a security scope boundary - meaning disclosed data may reach an unintended security context. No public exploit exists and no KEV listing is present; this is a low-severity (CVSS 3.4) internal information leakage issue most relevant to hardened or compliance-sensitive YouTrack deployments.

Information Disclosure Youtrack
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Information disclosure in JetBrains YouTrack before version 2026.1.13162 allows authenticated low-privilege users to access sensitive user and group membership data they are not authorized to view. Rooted in CWE-863 (Incorrect Authorization), the flaw exists on the Users and Groups administrative pages, where authorization checks are insufficiently enforced for authenticated sessions. No public exploit identified at time of analysis, and this vulnerability is not listed in CISA KEV; however, the low access complexity means any authenticated attacker can reliably reproduce the condition.

Information Disclosure Authentication Bypass Youtrack
NVD VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Stored cross-site scripting in JetBrains YouTrack versions prior to 2026.1.13162 allows an authenticated project-level user to inject persistent JavaScript into project notification templates, which executes in the browsers of other users who receive or view those notifications. The scope-changed CVSS 8.7 reflects that injected scripts can pivot beyond the vulnerable component to compromise the sessions and data of higher-privileged recipients. No public exploit identified at time of analysis and no KEV listing, but the issue was disclosed and patched directly by the vendor.

XSS Youtrack
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated users in JetBrains YouTrack versions prior to 2025.3.121962 can bypass authorization controls to access the app permissions endpoint, potentially allowing privilege escalation or unauthorized modification of application settings. This vulnerability requires valid login credentials but has no complexity requirements, enabling attackers with low-level access to gain high-impact capabilities including confidentiality and integrity violations. No patch is currently available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Youtrack versions up to 2025.3.119033 is affected by insertion of sensitive information into log file (CVSS 6.5).

Information Disclosure Youtrack
NVD
EPSS 0% CVSS 2.7
LOW Monitor

In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Race Condition Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 8.1
HIGH This Month

In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 8.7
HIGH This Month

In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 0% CVSS 7.7
HIGH This Month

In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 4.3
MEDIUM Monitor

In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 7.1
HIGH This Month

In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Youtrack
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Prototype Pollution Information Disclosure Youtrack
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Youtrack
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Youtrack
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 8.1
HIGH This Week

In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 7.5
HIGH This Week

In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 1% CVSS 6.5
MEDIUM This Month

In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 0% CVSS 4.6
MEDIUM Monitor

In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Youtrack
NVD
EPSS 1% CVSS 7.3
HIGH This Week

In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Youtrack
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Youtrack
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Privilege Escalation Youtrack
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Youtrack
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2021.3.21051, stored XSS is possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 1% CVSS 4.3
MEDIUM This Month

In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2021.2.17925, stored XSS was possible. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 2% CVSS 7.5
HIGH This Week

In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 1% CVSS 7.5
HIGH This Week

In JetBrains YouTrack before 2020.6.6600, access control during the exporting of issues was implemented improperly. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

In JetBrains YouTrack before 2020.6.6441, stored XSS was possible via an issue attachment. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Youtrack
NVD
EPSS 2% CVSS 4.3
MEDIUM This Month

In JetBrains YouTrack before 2020.6.1099, project information could be potentially disclosed. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 3% CVSS 9.8
CRITICAL Act Now

In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Youtrack
NVD
EPSS 2% CVSS 7.5
HIGH This Week

In JetBrains YouTrack before 2020.4.6808, the YouTrack administrator wasn't able to access attachments. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2020.4.4701, permissions for attachments actions were checked improperly. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 3% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2020.6.1767, an issue's existence could be disclosed via YouTrack command execution. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2020.4.4701, improper resource access checks were made. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 8.8
HIGH This Week

In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Youtrack
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Youtrack
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Youtrack
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 2% CVSS 7.5
HIGH This Week

In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Youtrack
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Google Information Disclosure Youtrack
NVD
EPSS 1% CVSS 7.3
HIGH This Week

In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF Youtrack
NVD
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy