Jetbrains Youtrack
53 CVEs affecting Jetbrains Youtrack. Latest disclosed: 2026-05-29. Critical: 0, High: 12.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-28193 | High | 8.8 | 2026-02-25 | In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint |
CVE-2026-49368 | High | 8.7 | 2026-05-29 | In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible |
CVE-2025-57731 | High | 8.7 | 2025-08-20 | In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content |
CVE-2025-64685 | High | 8.1 | 2025-11-10 | In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure |
CVE-2024-49579 | High | 8.1 | 2024-10-17 | In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests |
CVE-2024-54154 | High | 8.0 | 2024-12-04 | In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox |
CVE-2025-48391 | High | 7.7 | 2025-05-20 | In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API |
CVE-2025-53959 | High | 7.6 | 2025-07-15 | In JetBrains YouTrack before 2025.2.86069, 2024.3.85077, 2025.1.86199 email spoofing via an administrative API was possible |
CVE-2023-35053 | High | 7.5 | 2023-06-12 | In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms |
CVE-2022-28650 | High | 7.3 | 2022-04-05 | In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI |
CVE-2026-33392 | High | 7.2 | 2026-04-17 | In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass |
CVE-2025-24458 | High | 7.1 | 2025-01-21 | In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration |
CVE-2026-49386 | Medium | 6.5 | 2026-05-29 | In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas |
CVE-2026-49385 | Medium | 6.5 | 2026-05-29 | In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts |
CVE-2026-25846 | Medium | 6.5 | 2026-02-09 | In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs |
CVE-2024-28230 | Medium | 6.5 | 2024-03-07 | In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions |
CVE-2024-28229 | Medium | 6.5 | 2024-03-07 | In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles |
CVE-2023-38068 | Medium | 6.5 | 2023-07-12 | In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms |
CVE-2024-38506 | Medium | 6.3 | 2024-06-18 | In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows |
CVE-2025-54527 | Medium | 6.1 | 2025-07-28 | In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass… |