| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| In JetBrains YouTrack before 2026.2.17394 stored XSS via article titles in digest emails was possible |
| In JetBrains YouTrack before 2026.2.17012 cSS injection via Mermaid diagram rendering was possible |
| In JetBrains YouTrack before 2026.1.13757,
2025.3.148033,
2025.2.148048,
2025.1.148120,
2024.3.148430,
2024.2.148429 authentication bypass via direct database access leading to administrative access was possible |
| In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings |
| In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details |
| In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags |
| In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack |
| In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint |
| In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible |
| In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible |
| In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages |
| In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests |
| In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts |
| In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas |
| In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass |
| In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs |
| In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint |
| In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure |
| In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit |
| This CVE ID has been rejected or withdrawn by its CVE Numbering Authority because it relates to internal functionality that is not available to customers. |