Home/Product/jetbrains youtrack
Product

jetbrains youtrack

103 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-33392
< 2025.3.131383
In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass
7.2HIGH
 CVE-2026-28193
< 2025.3.121962
In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
8.8HIGH
 CVE-2026-25846
< 2025.3.119033
In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
6.5MEDIUM
 CVE-2025-64773
< 2025.3.104432
In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit
2.7LOW
 CVE-2025-64685
< 2025.3.104432
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
8.1HIGH
 CVE-2025-64684
< 2025.3.104432
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
4.3MEDIUM
 CVE-2025-57731
< 2025.2.92387
In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content
8.7HIGH
 CVE-2025-54527
< 2025.2.86935
In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget san
6.1MEDIUM
 CVE-2025-53959
< 2024.3.85077
In JetBrains YouTrack before 2025.2.86069, 2024.3.85077, 2025.1.86199 email spoofing via an administrative API was possible
7.6HIGH
 CVE-2025-48391
< 2025.1.76253
In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API
7.7HIGH
 CVE-2025-47850
< 2025.1.74704
In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning
4.3MEDIUM
 CVE-2025-24458
< 2024.3.55417
In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration
7.1HIGH
 CVE-2025-24457
< 2024.3.55417
In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs
5.5MEDIUM
 CVE-2024-54158
< 2024.3.52635
In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding
3.5LOW
 CVE-2024-54157
< 2024.3.52635
In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
4.3MEDIUM
 CVE-2024-54156
< 2024.3.52635
In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack
4.2MEDIUM
 CVE-2024-54155
< 2024.3.51866
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authe
3.7LOW
 CVE-2024-54154
< 2024.3.51866
In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox
8.0HIGH
 CVE-2024-54153
< 2024.3.51866
In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter
3.1LOW
 CVE-2024-50582
< 2024.3.47707
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
4.6MEDIUM
 CVE-2024-50581
< 2024.3.47707
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag
4.6MEDIUM
 CVE-2024-50580
< 2024.3.47707
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
4.6MEDIUM
 CVE-2024-50579
< 2024.3.47707
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
4.6MEDIUM
 CVE-2024-50578
< 2024.3.47707
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page
4.6MEDIUM
 CVE-2024-50577
< 2024.3.47707
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings
4.6MEDIUM
 CVE-2024-50576
< 2024.3.47707
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest
4.6MEDIUM
 CVE-2024-50575
< 2024.3.47707
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API
5.4MEDIUM
 CVE-2024-50574
< 2024.3.47707
In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality
5.3MEDIUM
 CVE-2024-49579
< 2024.3.47197
In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API reque
8.1HIGH
 CVE-2024-48902
< 2024.3.46677
In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applicati
5.4MEDIUM
 CVE-2024-47162
< 2024.3.44799
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
4.1MEDIUM
 CVE-2024-47160
< 2024.3.44799
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
4.3MEDIUM
 CVE-2024-47159
< 2024.3.44799
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
4.3MEDIUM
 CVE-2024-38506
< 2024.2.34646
In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
6.3MEDIUM
 CVE-2024-38505
< 2024.2.34646
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
5.3MEDIUM
 CVE-2024-38504
< 2024.2.34646
In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles
4.3MEDIUM
 CVE-2024-35299
< 2024.1.29548
In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation
5.9MEDIUM
 CVE-2024-28230
< 2024.1.25893
In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions
6.5MEDIUM
 CVE-2024-28229
< 2024.1.25893
In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles
6.5MEDIUM
 CVE-2024-28228
< 2024.1.25893
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible
5.3MEDIUM
 CVE-2024-22370
< 2023.3.22666
In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible
4.6MEDIUM
 CVE-2023-50871
< 2023.3.22268
In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed
4.3MEDIUM
 CVE-2023-38068
< 2023.1.16597
In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms
6.5MEDIUM
 CVE-2023-35054
< 2023.1.10518
In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible
4.6MEDIUM
 CVE-2023-35053
< 2023.1.10518
In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms
7.5HIGH
 CVE-2022-28650
< 2022.1.43700
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
7.3HIGH
 CVE-2022-28649
< 2022.1.43563
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
4.6MEDIUM
 CVE-2022-28648
< 2022.1.43563
In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered
5.7MEDIUM
 CVE-2022-24442
< 2021.4.40426
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
9.8CRITICAL
 CVE-2022-24347
< 2021.4.36872
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.
5.4MEDIUM
 CVE-2022-24344
< 2021.4.31698
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.
5.4MEDIUM
 CVE-2022-24343
< 2021.4.31698
In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.
4.3MEDIUM
 CVE-2021-43186
< 2021.3.24402
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
5.4MEDIUM
 CVE-2021-43185
< 2021.3.23639
JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.
9.8CRITICAL
 CVE-2021-43184
< 2021.3.21051
In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.
5.4MEDIUM
 CVE-2021-37554
< 2021.3.21051
In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.
4.3MEDIUM
 CVE-2021-37553
< 2021.2.16363
In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.
7.5HIGH
 CVE-2021-37552
< 2021.2.17925
In JetBrains YouTrack before 2021.2.17925, stored XSS was possible.
5.4MEDIUM
 CVE-2021-37551
< 2021.2.16363
In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.
5.3MEDIUM
 CVE-2021-37550
< 2021.2.16363
In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used.
7.5HIGH
 CVE-2021-37549
< 2021.1.11111
In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient.
9.1CRITICAL
 CVE-2021-31905
< 2020.6.8801
In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible.
7.5HIGH
 CVE-2021-31903
< 2021.1.9819
In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS.
6.1MEDIUM
 CVE-2021-31902
< 2020.6.6600
In JetBrains YouTrack before 2020.6.6600, access control during the exporting of issues was implemented improperly.
7.5HIGH
 CVE-2021-27733
< 2020.6.6441
In JetBrains YouTrack before 2020.6.6441, stored XSS was possible via an issue attachment.
5.4MEDIUM
 CVE-2021-25771
< 2020.6.1099
In JetBrains YouTrack before 2020.6.1099, project information could be potentially disclosed.
4.3MEDIUM
 CVE-2021-25770
< 2020.5.3123
In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code execution.
9.8CRITICAL
 CVE-2021-25769
< 2020.4.6808
In JetBrains YouTrack before 2020.4.6808, the YouTrack administrator wasn't able to access attachments.
7.5HIGH
 CVE-2021-25768
< 2020.4.4701
In JetBrains YouTrack before 2020.4.4701, permissions for attachments actions were checked improperly.
5.3MEDIUM
 CVE-2021-25767
< 2020.6.1767
In JetBrains YouTrack before 2020.6.1767, an issue's existence could be disclosed via YouTrack command execution.
5.3MEDIUM
 CVE-2021-25766
< 2020.4.4701
In JetBrains YouTrack before 2020.4.4701, improper resource access checks were made.
5.3MEDIUM
 CVE-2021-25765
< 2020.4.4701
In JetBrains YouTrack before 2020.4.4701, CSRF via attachment upload was possible.
8.8HIGH
 CVE-2020-25208
< 2020.4.4701
In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.
5.3MEDIUM
 CVE-2020-27626
< 2020.3.5333
JetBrains YouTrack before 2020.3.5333 was vulnerable to SSRF.
5.3MEDIUM
 CVE-2020-27625
< 2020.3.888
In JetBrains YouTrack before 2020.3.888, notifications might have mentioned inaccessible issues.
5.3MEDIUM
 CVE-2020-27624
< 2020.3.888
JetBrains YouTrack before 2020.3.888 was vulnerable to SSRF.
5.3MEDIUM
 CVE-2020-25210
< 2020.3.7955
In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants.
5.3MEDIUM
 CVE-2020-25209
< 2020.3.6638
In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the RE
7.5HIGH
 CVE-2020-24366
< 2020.2.0
Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups
3.3LOW
 CVE-2020-15822
< 2020.2.10514
In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
7.3HIGH
 CVE-2020-24618
< 2019.1.65514
In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an at
6.5MEDIUM
 CVE-2020-15823
< 2020.2.8873
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
7.5HIGH
 CVE-2020-15821
< 2020.2.6881
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
6.5MEDIUM
 CVE-2020-15820
< 2020.2.6881
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
5.3MEDIUM
 CVE-2020-15819
< 2020.2.10643
JetBrains YouTrack before 2020.2.10643 was vulnerable to SSRF that allowed scanning internal ports.
5.3MEDIUM
 CVE-2020-15818
< 2020.2.8527
In JetBrains YouTrack before 2020.2.8527, the subtasks workflow could disclose issue existence.
5.3MEDIUM
 CVE-2020-15817
< 2020.1.1331
In JetBrains YouTrack before 2020.1.1331, an external user could execute commands against arbitrary issues.
8.8HIGH
 CVE-2020-11693
< 2020.1.659
JetBrains YouTrack before 2020.1.659 was vulnerable to DoS that could be caused by attaching a malformed TIFF file to an issue.
7.5HIGH
 CVE-2020-11692
< 2020.1.659
In JetBrains YouTrack before 2020.1.659, DB export was accessible to read-only administrators.
2.7LOW
 CVE-2020-7913
>= 2019.2.0 and < 2019.2.59309
JetBrains YouTrack 2019.2 before 2019.2.59309 was vulnerable to XSS via an issue description.
6.1MEDIUM
 CVE-2020-7912
>= 2019.2.0 and < 2019.2.59309
In JetBrains YouTrack before 2019.2.59309, SMTP/Jabber settings could be accessed using backups.
5.3MEDIUM
 CVE-2019-18369
< 2019.2.55152
In JetBrains YouTrack before 2019.2.55152, removing tags from the issues list without the corresponding permission was possible.
5.3MEDIUM
 CVE-2019-16171
<= 2019.2.56594
In JetBrains YouTrack through 2019.2.56594, stored XSS was found on the issue page.
6.1MEDIUM
 CVE-2019-15040
< 2019.1
JetBrains YouTrack versions before 2019.1 had a CSRF vulnerability on the settings page.
8.8HIGH
 CVE-2019-14956
< 2019.2.53938
JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other pr
4.3MEDIUM
 CVE-2019-15041
< 2019.1.52545
JetBrains YouTrack versions before 2019.1.52545 allowed unbounded URL whitelisting because of Inclusion of Functionality from an U
6.1MEDIUM
 CVE-2019-14953
< 2019.2.53938
JetBrains YouTrack versions before 2019.2.53938 had a possible XSS through issue attachments when using the Firefox browser.
6.1MEDIUM
 CVE-2019-14952
< 2019.1.52584
JetBrains YouTrack versions before 2019.1.52584 had a possible XSS in the issue titles.
6.1MEDIUM
 CVE-2019-12852
< 2018.4.49168
An SSRF attack was possible on a JetBrains YouTrack server. The issue (1 of 2) was fixed in JetBrains YouTrack 2018.4.49168.
9.8CRITICAL
 CVE-2019-12867
< 2018.4.49168
Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack. The issue was fixed in 2018.4.49168.
9.8CRITICAL
 CVE-2019-12866
< 2018.4.49168
An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack.
9.8CRITICAL
 CVE-2019-12851
< 2018.4.49852
A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.4985
8.8HIGH
 CVE-2019-12850
< 2018.4.49168
A query injection was possible in JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49168.
9.8CRITICAL
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin