Total
102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28193 | 1 Jetbrains | 1 Youtrack | 2026-02-26 | N/A | 8.8 HIGH |
|
In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
|
|||||
| CVE-2026-25846 | 1 Jetbrains | 1 Youtrack | 2026-02-18 | N/A | 6.5 MEDIUM |
|
In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
|
|||||
| CVE-2025-64773 | 1 Jetbrains | 1 Youtrack | 2025-12-11 | N/A | 2.7 LOW |
|
In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit
|
|||||
| CVE-2025-54527 | 1 Jetbrains | 1 Youtrack | 2025-12-01 | N/A | 6.1 MEDIUM |
|
In JetBrains YouTrack before 2025.2.86935,
2025.2.87167,
2025.3.87341,
2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions
|
|||||
| CVE-2025-64684 | 1 Jetbrains | 1 Youtrack | 2025-11-21 | N/A | 4.3 MEDIUM |
|
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
|
|||||
| CVE-2025-64685 | 1 Jetbrains | 1 Youtrack | 2025-11-21 | N/A | 8.1 HIGH |
|
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
|
|||||
| CVE-2025-53959 | 1 Jetbrains | 1 Youtrack | 2025-10-14 | N/A | 7.6 HIGH |
|
In JetBrains YouTrack before 2025.2.86069,
2024.3.85077,
2025.1.86199 email spoofing via an administrative API was possible
|
|||||
| CVE-2025-47850 | 1 Jetbrains | 1 Youtrack | 2025-09-30 | N/A | 4.3 MEDIUM |
|
In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning
|
|||||
| CVE-2025-48391 | 1 Jetbrains | 1 Youtrack | 2025-09-30 | N/A | 7.7 HIGH |
|
In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API
|
|||||
| CVE-2025-57731 | 1 Jetbrains | 1 Youtrack | 2025-08-21 | N/A | 8.7 HIGH |
|
In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content
|
|||||
| CVE-2024-54155 | 1 Jetbrains | 1 Youtrack | 2025-01-31 | N/A | 3.7 LOW |
|
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
|
|||||
| CVE-2024-54154 | 1 Jetbrains | 1 Youtrack | 2025-01-31 | N/A | 8.0 HIGH |
|
In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox
|
|||||
| CVE-2024-54153 | 1 Jetbrains | 1 Youtrack | 2025-01-31 | N/A | 3.1 LOW |
|
In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter
|
|||||
| CVE-2024-54158 | 1 Jetbrains | 1 Youtrack | 2025-01-30 | N/A | 3.5 LOW |
|
In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding
|
|||||
| CVE-2024-54157 | 1 Jetbrains | 1 Youtrack | 2025-01-30 | N/A | 4.3 MEDIUM |
|
In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
|
|||||
| CVE-2024-54156 | 1 Jetbrains | 1 Youtrack | 2025-01-30 | N/A | 4.2 MEDIUM |
|
In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack
|
|||||
| CVE-2025-24458 | 1 Jetbrains | 1 Youtrack | 2025-01-30 | N/A | 7.1 HIGH |
|
In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration
|
|||||
| CVE-2025-24457 | 1 Jetbrains | 1 Youtrack | 2025-01-30 | N/A | 5.5 MEDIUM |
|
In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs
|
|||||
| CVE-2024-35299 | 1 Jetbrains | 1 Youtrack | 2025-01-28 | N/A | 5.9 MEDIUM |
|
In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation
|
|||||
| CVE-2024-28228 | 1 Jetbrains | 1 Youtrack | 2024-12-16 | N/A | 5.3 MEDIUM |
|
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible
|
|||||
| CVE-2024-28229 | 1 Jetbrains | 1 Youtrack | 2024-12-16 | N/A | 6.5 MEDIUM |
|
In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles
|
|||||
| CVE-2024-28230 | 1 Jetbrains | 1 Youtrack | 2024-12-16 | N/A | 6.5 MEDIUM |
|
In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions
|
|||||
| CVE-2024-38506 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | N/A | 6.3 MEDIUM |
|
In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
|
|||||
| CVE-2024-38505 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | N/A | 5.3 MEDIUM |
|
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
|
|||||
| CVE-2024-38504 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | N/A | 4.3 MEDIUM |
|
In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles
|
|||||
| CVE-2024-22370 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | N/A | 4.6 MEDIUM |
|
In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible
|
|||||
| CVE-2023-50871 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | N/A | 4.3 MEDIUM |
|
In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed
|
|||||
| CVE-2023-38068 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | N/A | 6.5 MEDIUM |
|
In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms
|
|||||
| CVE-2023-35054 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | N/A | 4.6 MEDIUM |
|
In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible
|
|||||
| CVE-2023-35053 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | N/A | 7.5 HIGH |
|
In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms
|
|||||
| CVE-2022-28650 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 3.5 LOW | 7.3 HIGH |
|
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
|
|||||
| CVE-2022-28649 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 3.5 LOW | 4.6 MEDIUM |
|
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
|
|||||
| CVE-2022-28648 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 3.5 LOW | 5.7 MEDIUM |
|
In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered
|
|||||
| CVE-2022-24442 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
|
|||||
| CVE-2022-24347 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.
|
|||||
| CVE-2022-24344 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.
|
|||||
| CVE-2022-24343 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.
|
|||||
| CVE-2021-43186 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
|
|||||
| CVE-2021-43185 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.
|
|||||
| CVE-2021-43184 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 3.5 LOW | 5.4 MEDIUM |
|
In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.
|
|||||