Search

Find a vulnerability

Search criteria

    228 vulnerabilities found for YouTrack by JetBrains

    CVE-2026-57926 (GCVE-0-2026-57926)

    Vulnerability from nvd – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:45
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1321
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57926",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:26:32.244498Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1321",
                    "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:45:02.085Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.6,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "CWE-1321",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:19.536Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57926",
        "datePublished": "2026-06-26T12:38:19.536Z",
        "dateReserved": "2026-06-26T12:21:24.396Z",
        "dateUpdated": "2026-06-26T13:45:02.085Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57925 (GCVE-0-2026-57925)

    Vulnerability from nvd – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:45
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57925",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:26:51.590681Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:45:18.602Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:19.039Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57925",
        "datePublished": "2026-06-26T12:38:19.039Z",
        "dateReserved": "2026-06-26T12:21:24.090Z",
        "dateUpdated": "2026-06-26T13:45:18.602Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57924 (GCVE-0-2026-57924)

    Vulnerability from nvd – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:45
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57924",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:27:13.533690Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:45:33.441Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:18.647Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57924",
        "datePublished": "2026-06-26T12:38:18.647Z",
        "dateReserved": "2026-06-26T12:21:23.827Z",
        "dateUpdated": "2026-06-26T13:45:33.441Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57923 (GCVE-0-2026-57923)

    Vulnerability from nvd – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:45
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57923",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:27:33.706322Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:45:47.920Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:18.291Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57923",
        "datePublished": "2026-06-26T12:38:18.291Z",
        "dateReserved": "2026-06-26T12:21:23.467Z",
        "dateUpdated": "2026-06-26T13:45:47.920Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57922 (GCVE-0-2026-57922)

    Vulnerability from nvd – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:46
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57922",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:27:56.424537Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:46:03.260Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:17.932Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57922",
        "datePublished": "2026-06-26T12:38:17.932Z",
        "dateReserved": "2026-06-26T12:21:23.232Z",
        "dateUpdated": "2026-06-26T13:46:03.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57921 (GCVE-0-2026-57921)

    Vulnerability from nvd – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:46
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57921",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:28:23.594340Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:46:22.254Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users\u0027 private data via the comment templates endpoint"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:17.373Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57921",
        "datePublished": "2026-06-26T12:38:17.373Z",
        "dateReserved": "2026-06-26T12:21:22.954Z",
        "dateUpdated": "2026-06-26T13:46:22.254Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49386 (GCVE-0-2026-49386)

    Vulnerability from nvd – Published: 2026-05-29 18:15 – Updated: 2026-05-29 19:03
    VLAI
    Summary
    In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.1.13570 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49386",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:03:42.193474Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:03:55.994Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.1.13570",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-29T18:15:54.714Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-49386",
        "datePublished": "2026-05-29T18:15:54.714Z",
        "dateReserved": "2026-05-29T18:08:00.835Z",
        "dateUpdated": "2026-05-29T19:03:55.994Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49385 (GCVE-0-2026-49385)

    Vulnerability from nvd – Published: 2026-05-29 18:15 – Updated: 2026-05-29 19:27
    VLAI
    Summary
    In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.1.13570 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49385",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:24:24.552797Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:27:11.563Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.1.13570",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-29T18:15:54.342Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-49385",
        "datePublished": "2026-05-29T18:15:54.342Z",
        "dateReserved": "2026-05-29T18:08:00.467Z",
        "dateUpdated": "2026-05-29T19:27:11.563Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49370 (GCVE-0-2026-49370)

    Vulnerability from nvd – Published: 2026-05-29 18:15 – Updated: 2026-05-29 19:30
    VLAI
    Summary
    In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.1.13162 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49370",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:17:10.560332Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:30:39.849Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.1.13162",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.4,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-29T18:15:47.385Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-49370",
        "datePublished": "2026-05-29T18:15:47.385Z",
        "dateReserved": "2026-05-29T18:07:54.578Z",
        "dateUpdated": "2026-05-29T19:30:39.849Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49369 (GCVE-0-2026-49369)

    Vulnerability from nvd – Published: 2026-05-29 18:15 – Updated: 2026-05-29 19:30
    VLAI
    Summary
    In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.1.13162 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49369",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:17:02.648430Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:30:54.245Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.1.13162",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-29T18:15:46.993Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-49369",
        "datePublished": "2026-05-29T18:15:46.993Z",
        "dateReserved": "2026-05-29T18:07:53.871Z",
        "dateUpdated": "2026-05-29T19:30:54.245Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49368 (GCVE-0-2026-49368)

    Vulnerability from nvd – Published: 2026-05-29 18:15 – Updated: 2026-05-29 19:31
    VLAI
    Summary
    In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.1.13162 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49368",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:16:39.207550Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:31:08.334Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.1.13162",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-29T18:15:46.548Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-49368",
        "datePublished": "2026-05-29T18:15:46.548Z",
        "dateReserved": "2026-05-29T18:07:53.529Z",
        "dateUpdated": "2026-05-29T19:31:08.334Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33392 (GCVE-0-2026-33392)

    Vulnerability from nvd – Published: 2026-04-17 07:46 – Updated: 2026-04-18 03:55
    VLAI
    Summary
    In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2025.3.131383 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33392",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-18T03:55:54.262Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2025.3.131383",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1336",
                  "description": "CWE-1336",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T07:46:11.710Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-33392",
        "datePublished": "2026-04-17T07:46:11.710Z",
        "dateReserved": "2026-03-19T12:17:14.827Z",
        "dateUpdated": "2026-04-18T03:55:54.262Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28193 (GCVE-0-2026-28193)

    Vulnerability from nvd – Published: 2026-02-25 12:57 – Updated: 2026-02-26 14:44
    VLAI
    Summary
    In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2025.3.121962 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28193",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-26T04:55:49.115945Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T14:44:06.777Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2025.3.121962",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-25T12:57:27.463Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-28193",
        "datePublished": "2026-02-25T12:57:27.463Z",
        "dateReserved": "2026-02-25T12:35:11.990Z",
        "dateUpdated": "2026-02-26T14:44:06.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25846 (GCVE-0-2026-25846)

    Vulnerability from nvd – Published: 2026-02-09 10:38 – Updated: 2026-02-09 13:46
    VLAI
    Summary
    In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2025.3.119033 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25846",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-09T13:45:33.033939Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-09T13:46:19.192Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2025.3.119033",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-09T10:38:59.786Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-25846",
        "datePublished": "2026-02-09T10:38:59.786Z",
        "dateReserved": "2026-02-06T14:16:36.496Z",
        "dateUpdated": "2026-02-09T13:46:19.192Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64773 (GCVE-0-2025-64773)

    Vulnerability from nvd – Published: 2025-11-11 15:23 – Updated: 2025-12-11 19:00
    VLAI
    Summary
    In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2025.3.104432 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64773",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-12T14:54:17.572310Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-362",
                    "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T19:00:41.658Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2025.3.104432",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-11T15:23:19.653Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2025-64773",
        "datePublished": "2025-11-11T15:23:19.653Z",
        "dateReserved": "2025-11-11T15:02:03.361Z",
        "dateUpdated": "2025-12-11T19:00:41.658Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57926 (GCVE-0-2026-57926)

    Vulnerability from cvelistv5 – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:45
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1321
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57926",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:26:32.244498Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-1321",
                    "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:45:02.085Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.6,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "CWE-1321",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:19.536Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57926",
        "datePublished": "2026-06-26T12:38:19.536Z",
        "dateReserved": "2026-06-26T12:21:24.396Z",
        "dateUpdated": "2026-06-26T13:45:02.085Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57925 (GCVE-0-2026-57925)

    Vulnerability from cvelistv5 – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:45
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57925",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:26:51.590681Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:45:18.602Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:19.039Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57925",
        "datePublished": "2026-06-26T12:38:19.039Z",
        "dateReserved": "2026-06-26T12:21:24.090Z",
        "dateUpdated": "2026-06-26T13:45:18.602Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57924 (GCVE-0-2026-57924)

    Vulnerability from cvelistv5 – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:45
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57924",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:27:13.533690Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:45:33.441Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 default role configuration exposed excessive user profile details"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-276",
                  "description": "CWE-276",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:18.647Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57924",
        "datePublished": "2026-06-26T12:38:18.647Z",
        "dateReserved": "2026-06-26T12:21:23.827Z",
        "dateUpdated": "2026-06-26T13:45:33.441Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57923 (GCVE-0-2026-57923)

    Vulnerability from cvelistv5 – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:45
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57923",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:27:33.706322Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-862",
                    "description": "CWE-862 Missing Authorization",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:45:47.920Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:18.291Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57923",
        "datePublished": "2026-06-26T12:38:18.291Z",
        "dateReserved": "2026-06-26T12:21:23.467Z",
        "dateUpdated": "2026-06-26T13:45:47.920Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57922 (GCVE-0-2026-57922)

    Vulnerability from cvelistv5 – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:46
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57922",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:27:56.424537Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:46:03.260Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:17.932Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57922",
        "datePublished": "2026-06-26T12:38:17.932Z",
        "dateReserved": "2026-06-26T12:21:23.232Z",
        "dateUpdated": "2026-06-26T13:46:03.260Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-57921 (GCVE-0-2026-57921)

    Vulnerability from cvelistv5 – Published: 2026-06-26 12:38 – Updated: 2026-06-26 13:46
    VLAI
    Summary
    In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.2.16593 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-57921",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-26T13:28:23.594340Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-26T13:46:22.254Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.2.16593",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users\u0027 private data via the comment templates endpoint"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-26T12:38:17.373Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-57921",
        "datePublished": "2026-06-26T12:38:17.373Z",
        "dateReserved": "2026-06-26T12:21:22.954Z",
        "dateUpdated": "2026-06-26T13:46:22.254Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49386 (GCVE-0-2026-49386)

    Vulnerability from cvelistv5 – Published: 2026-05-29 18:15 – Updated: 2026-05-29 19:03
    VLAI
    Summary
    In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.1.13570 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49386",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:03:42.193474Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:03:55.994Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.1.13570",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-29T18:15:54.714Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-49386",
        "datePublished": "2026-05-29T18:15:54.714Z",
        "dateReserved": "2026-05-29T18:08:00.835Z",
        "dateUpdated": "2026-05-29T19:03:55.994Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49385 (GCVE-0-2026-49385)

    Vulnerability from cvelistv5 – Published: 2026-05-29 18:15 – Updated: 2026-05-29 19:27
    VLAI
    Summary
    In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.1.13570 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49385",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:24:24.552797Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:27:11.563Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.1.13570",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-29T18:15:54.342Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-49385",
        "datePublished": "2026-05-29T18:15:54.342Z",
        "dateReserved": "2026-05-29T18:08:00.467Z",
        "dateUpdated": "2026-05-29T19:27:11.563Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49370 (GCVE-0-2026-49370)

    Vulnerability from cvelistv5 – Published: 2026-05-29 18:15 – Updated: 2026-05-29 19:30
    VLAI
    Summary
    In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.1.13162 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49370",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:17:10.560332Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:30:39.849Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.1.13162",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 3.4,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "HIGH",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-201",
                  "description": "CWE-201",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-29T18:15:47.385Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-49370",
        "datePublished": "2026-05-29T18:15:47.385Z",
        "dateReserved": "2026-05-29T18:07:54.578Z",
        "dateUpdated": "2026-05-29T19:30:39.849Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49369 (GCVE-0-2026-49369)

    Vulnerability from cvelistv5 – Published: 2026-05-29 18:15 – Updated: 2026-05-29 19:30
    VLAI
    Summary
    In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.1.13162 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49369",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:17:02.648430Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:30:54.245Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.1.13162",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-29T18:15:46.993Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-49369",
        "datePublished": "2026-05-29T18:15:46.993Z",
        "dateReserved": "2026-05-29T18:07:53.871Z",
        "dateUpdated": "2026-05-29T19:30:54.245Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-49368 (GCVE-0-2026-49368)

    Vulnerability from cvelistv5 – Published: 2026-05-29 18:15 – Updated: 2026-05-29 19:31
    VLAI
    Summary
    In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2026.1.13162 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-49368",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-29T19:16:39.207550Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-29T19:31:08.334Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2026.1.13162",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-29T18:15:46.548Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-49368",
        "datePublished": "2026-05-29T18:15:46.548Z",
        "dateReserved": "2026-05-29T18:07:53.529Z",
        "dateUpdated": "2026-05-29T19:31:08.334Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-33392 (GCVE-0-2026-33392)

    Vulnerability from cvelistv5 – Published: 2026-04-17 07:46 – Updated: 2026-04-18 03:55
    VLAI
    Summary
    In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2025.3.131383 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-33392",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-18T03:55:54.262Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2025.3.131383",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1336",
                  "description": "CWE-1336",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T07:46:11.710Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-33392",
        "datePublished": "2026-04-17T07:46:11.710Z",
        "dateReserved": "2026-03-19T12:17:14.827Z",
        "dateUpdated": "2026-04-18T03:55:54.262Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-28193 (GCVE-0-2026-28193)

    Vulnerability from cvelistv5 – Published: 2026-02-25 12:57 – Updated: 2026-02-26 14:44
    VLAI
    Summary
    In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2025.3.121962 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-28193",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-26T04:55:49.115945Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-26T14:44:06.777Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2025.3.121962",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-25T12:57:27.463Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-28193",
        "datePublished": "2026-02-25T12:57:27.463Z",
        "dateReserved": "2026-02-25T12:35:11.990Z",
        "dateUpdated": "2026-02-26T14:44:06.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25846 (GCVE-0-2026-25846)

    Vulnerability from cvelistv5 – Published: 2026-02-09 10:38 – Updated: 2026-02-09 13:46
    VLAI
    Summary
    In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2025.3.119033 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25846",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-09T13:45:33.033939Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-09T13:46:19.192Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2025.3.119033",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-09T10:38:59.786Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2026-25846",
        "datePublished": "2026-02-09T10:38:59.786Z",
        "dateReserved": "2026-02-06T14:16:36.496Z",
        "dateUpdated": "2026-02-09T13:46:19.192Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-64773 (GCVE-0-2025-64773)

    Vulnerability from cvelistv5 – Published: 2025-11-11 15:23 – Updated: 2025-12-11 19:00
    VLAI
    Summary
    In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-362
    • CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    Assigner
    Impacted products
    Vendor Product Version
    JetBrains YouTrack Affected: 0 , < 2025.3.104432 (semver)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-64773",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-11-12T14:54:17.572310Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-362",
                    "description": "CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-12-11T19:00:41.658Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "YouTrack",
              "vendor": "JetBrains",
              "versions": [
                {
                  "lessThan": "2025.3.104432",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 2.7,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-362",
                  "description": "CWE-362",
                  "lang": "en"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-11-11T15:23:19.653Z",
            "orgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
            "shortName": "JetBrains"
          },
          "references": [
            {
              "url": "https://www.jetbrains.com/privacy-security/issues-fixed/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "547ada31-17d8-4964-bc5f-1b8238ba8014",
        "assignerShortName": "JetBrains",
        "cveId": "CVE-2025-64773",
        "datePublished": "2025-11-11T15:23:19.653Z",
        "dateReserved": "2025-11-11T15:02:03.361Z",
        "dateUpdated": "2025-12-11T19:00:41.658Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }