Every CVE whose affected-product data names Jetbrains Youtrack, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (114)
CVE-2019-12866 — CVSS 9.8 (critical): An Insecure Direct Object Reference, with Authorization Bypass through a User-Controlled Key, was possible in JetBrains YouTrack. The issue…
CVE-2022-24442 — CVSS 9.8 (critical): JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
CVE-2019-12867 — CVSS 9.8 (critical): Certain actions could cause privilege escalation for issue attachments in JetBrains YouTrack. The issue was fixed in 2018.4.49168.
CVE-2021-25770 — CVSS 9.8 (critical): In JetBrains YouTrack before 2020.5.3123, server-side template injection (SSTI) was possible, which could lead to code execution.
CVE-2019-12852 — CVSS 9.8 (critical): An SSRF attack was possible on a JetBrains YouTrack server. The issue (1 of 2) was fixed in JetBrains YouTrack 2018.4.49168.
CVE-2019-12851 — CVSS 8.8 (high): A CSRF vulnerability was detected in one of the admin endpoints of JetBrains YouTrack. The issue was fixed in YouTrack 2018.4.49852.
CVE-2026-49368 — CVSS 8.7 (high): In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
CVE-2025-64685 — CVSS 8.1 (high): In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
CVE-2024-49579 — CVSS 8.1 (high): In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests
CVE-2024-54154 — CVSS 8.0 (high): In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox
CVE-2025-48391 — CVSS 7.7 (high): In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API
CVE-2025-53959 — CVSS 7.6 (high): In JetBrains YouTrack before 2025.2.86069, 2024.3.85077, 2025.1.86199 email spoofing via an administrative API was possible
CVE-2020-25209 — CVSS 7.5 (high): In JetBrains YouTrack before 2020.3.6638, improper access control for some subresources leads to information disclosure via the REST API.
CVE-2021-25769 — CVSS 7.5 (high): In JetBrains YouTrack before 2020.4.6808, the YouTrack administrator wasn't able to access attachments.
CVE-2021-31905 — CVSS 7.5 (high): In JetBrains YouTrack before 2020.6.8801, information disclosure in an issue preview was possible.
CVE-2021-31902 — CVSS 7.5 (high): In JetBrains YouTrack before 2020.6.6600, access control during the exporting of issues was implemented improperly.
CVE-2020-11693 — CVSS 7.5 (high): JetBrains YouTrack before 2020.1.659 was vulnerable to DoS that could be caused by attaching a malformed TIFF file to an issue.
CVE-2022-28650 — CVSS 7.3 (high): In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
CVE-2020-15822 — CVSS 7.3 (high): In JetBrains YouTrack before 2020.2.10514, SSRF is possible because URL filtering can be escaped.
CVE-2026-33392 — CVSS 7.2 (high): In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass
CVE-2025-24458 — CVSS 7.1 (high): In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration
CVE-2024-28229 — CVSS 6.5 (medium): In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles
CVE-2024-28230 — CVSS 6.5 (medium): In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions
CVE-2026-49386 — CVSS 6.5 (medium): In JetBrains YouTrack before 2026.1.13570 improper access control allowed enumeration of restricted issues and articles on Planning Canvas
CVE-2020-24618 — CVSS 6.5 (medium): In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, 2020.1.11011, 2019.1.65514, 2019.2.65515, and 2019.3.65516, an attacker…
CVE-2026-49385 — CVSS 6.5 (medium): In JetBrains YouTrack before 2026.1.13570 improper access control allowed low-privileged users to modify service accounts
CVE-2020-15821 — CVSS 6.5 (medium): In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2024-38506 — CVSS 6.3 (medium): In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
CVE-2025-54527 — CVSS 6.1 (medium): In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows…
CVE-2019-14953 — CVSS 6.1 (medium): JetBrains YouTrack versions before 2019.2.53938 had a possible XSS through issue attachments when using the Firefox browser.
CVE-2019-15041 — CVSS 6.1 (medium): JetBrains YouTrack versions before 2019.1.52545 allowed unbounded URL whitelisting because of Inclusion of Functionality from an Untrusted…
CVE-2021-31903 — CVSS 6.1 (medium): In JetBrains YouTrack before 2021.1.9819, a pull request's title was sanitized insufficiently, leading to XSS.
CVE-2024-35299 — CVSS 5.9 (medium): In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation
CVE-2024-48902 — CVSS 5.4 (medium): In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via…
CVE-2020-25210 — CVSS 5.3 (medium): In JetBrains YouTrack before 2020.3.7955, an attacker could access workflow rules without appropriate access grants.
CVE-2020-25208 — CVSS 5.3 (medium): In JetBrains YouTrack before 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.
CVE-2024-28228 — CVSS 5.3 (medium): In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible
CVE-2024-50574 — CVSS 5.3 (medium): In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality
CVE-2019-18369 — CVSS 5.3 (medium): In JetBrains YouTrack before 2019.2.55152, removing tags from the issues list without the corresponding permission was possible.
CVE-2026-57923 — CVSS 5.3 (medium): In JetBrains YouTrack before 2026.2.16593 improper authorisation in the app configurations endpoint allowed modifying project settings
CVE-2024-50577 — CVSS 4.6 (medium): In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings
CVE-2024-50578 — CVSS 4.6 (medium): In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page
CVE-2024-50579 — CVSS 4.6 (medium): In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
CVE-2024-50580 — CVSS 4.6 (medium): In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
CVE-2024-50581 — CVSS 4.6 (medium): In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag
CVE-2024-50582 — CVSS 4.6 (medium): In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
CVE-2022-28649 — CVSS 4.6 (medium): In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
CVE-2026-49369 — CVSS 4.3 (medium): In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on Users and Groups pages
CVE-2024-54157 — CVSS 4.3 (medium): In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
CVE-2024-47160 — CVSS 4.3 (medium): In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
CVE-2024-47159 — CVSS 4.3 (medium): In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
CVE-2025-47850 — CVSS 4.3 (medium): In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning
CVE-2026-57925 — CVSS 4.3 (medium): In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading saved queries and tags
CVE-2024-38504 — CVSS 4.3 (medium): In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles
CVE-2026-57921 — CVSS 4.3 (medium): In JetBrains YouTrack before 2026.2.16593 improper access control allowed reading users' private data via the comment templates endpoint
CVE-2023-50871 — CVSS 4.3 (medium): In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed
CVE-2025-64684 — CVSS 4.3 (medium): In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
CVE-2019-14956 — CVSS 4.3 (medium): JetBrains YouTrack before 2019.2.53938 was using incorrect settings, allowing a user without necessary permissions to get other project…
CVE-2024-54155 — CVSS 3.7 (low): In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
CVE-2024-54158 — CVSS 3.5 (low): In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding
CVE-2026-49370 — CVSS 3.4 (low): In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests
CVE-2020-24366 — CVSS 3.3 (low): Sensitive information could be disclosed in the JetBrains YouTrack application before 2020.2.0 for Android via application backups.
CVE-2026-57922 — CVSS 3.1 (low): In JetBrains YouTrack before 2026.2.16593 project settings disclosure via the MCP was possible
CVE-2024-54153 — CVSS 3.1 (low): In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter
CVE-2020-11692 — CVSS 2.7 (low): In JetBrains YouTrack before 2020.1.659, DB export was accessible to read-only administrators.
CVE-2025-64773 — CVSS 2.7 (low): In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit
CVE-2026-57926 — CVSS 2.6 (low): In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack