JetBrains Youtrack
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in JetBrains Youtrack.
By the Year
In 2025 there have been 2 vulnerabilities in JetBrains Youtrack with an average score of 6.7 out of ten. Last year, in 2024 Youtrack had 28 security vulnerabilities published. Right now, Youtrack is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.56.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 2 | 6.65 |
| 2024 | 28 | 6.09 |
| 2023 | 4 | 6.13 |
| 2022 | 7 | 5.87 |
| 2021 | 21 | 6.56 |
| 2020 | 18 | 5.89 |
| 2019 | 11 | 7.70 |
| 2018 | 0 | 0.00 |
It may take a day or so for new Youtrack vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent JetBrains Youtrack Security Vulnerabilities
In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs
CVE-2025-24457
5.5 - Medium
- January 21, 2025
In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs
Insertion of Sensitive Information into Log File
In JetBrains YouTrack before 2024.3.55417 account takeover was possible
CVE-2025-24458
7.8 - High
- January 21, 2025
In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration
Authentication Bypass by Spoofing
JetBrains YouTrack Improper Access Control Vulnerability in Project Listing
CVE-2024-54155
5.3 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
Missing Authentication for Critical Function
JetBrains YouTrack Punycode Encoding Spoofing Vulnerability
CVE-2024-54158
5.3 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding
Authentication Bypass by Spoofing
JetBrains YouTrack Ruby Syntax Detector ReDoS Vulnerability
CVE-2024-54157
6.5 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
ReDoS
JetBrains YouTrack Multiple Merge Functions Prototype Pollution Vulnerability
CVE-2024-54156
6.5 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack
Prototype Pollution
JetBrains YouTrack Path Traversal Vulnerability in Plugin Sandbox
CVE-2024-54154
9.8 - Critical
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox
Directory traversal
JetBrains YouTrack Unauthenticated Database Backup Download Vulnerability
CVE-2024-54153
6.5 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter
Missing Authentication for Critical Function
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
CVE-2024-50579
6.1 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
XSS
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
CVE-2024-50580
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
XSS
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack
CVE-2024-50581
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag
XSS
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
CVE-2024-50582
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
XSS
In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible
CVE-2024-50574
7.5 - High
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality
ReDoS
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API
CVE-2024-50575
6.1 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API
XSS
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible
CVE-2024-50576
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest
XSS
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible
CVE-2024-50577
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings
XSS
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible
CVE-2024-50578
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page
XSS
In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe
CVE-2024-49579
6.1 - Medium
- October 17, 2024
In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests
Improper Verification of Source of a Communication Channel
In JetBrains YouTrack before 2024.3.46677 improper access control
CVE-2024-48902
5.4 - Medium
- October 10, 2024
In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API
AuthZ
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
CVE-2024-47159
4.3 - Medium
- September 19, 2024
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
AuthZ
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
CVE-2024-47160
5.3 - Medium
- September 19, 2024
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
AuthZ
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
CVE-2024-47162
5.3 - Medium
- September 19, 2024
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
Insufficiently Protected Credentials
In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles
CVE-2024-38504
5.3 - Medium
- June 18, 2024
In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles
AuthZ
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
CVE-2024-38505
7.5 - High
- June 18, 2024
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
Insufficiently Protected Credentials
In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
CVE-2024-38506
8.1 - High
- June 18, 2024
In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
AuthZ
In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation
CVE-2024-35299
7.5 - High
- May 16, 2024
In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation
Improper Certificate Validation
In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles
CVE-2024-28229
6.5 - Medium
- March 07, 2024
In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles
AuthZ
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible
CVE-2024-28228
5.3 - Medium
- March 07, 2024
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible
Authentication Bypass by Spoofing
In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions
CVE-2024-28230
6.5 - Medium
- March 07, 2024
In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions
AuthZ
In JetBrains YouTrack before 2023.3.22666 stored XSS
CVE-2024-22370
5.4 - Medium
- January 09, 2024
In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible
XSS
In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed
CVE-2023-50871
4.3 - Medium
- December 15, 2023
In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed
In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms
CVE-2023-38068
7.3 - High
- July 12, 2023
In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms
Insufficient anti-automation
In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible
CVE-2023-35053
7.5 - High
- June 12, 2023
In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms
In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible
CVE-2023-35054
5.4 - Medium
- June 12, 2023
In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible
XSS
In JetBrains YouTrack before 2022.1.43563 HTML code
CVE-2022-28648
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered
XSS
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe
CVE-2022-28649
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
Clickjacking
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
CVE-2022-28650
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
XSS
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection)
CVE-2022-24442
9.8 - Critical
- February 25, 2022
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.
Code Injection
In JetBrains YouTrack before 2021.4.31698
CVE-2022-24343
4.3 - Medium
- February 25, 2022
In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.
Incorrect Default Permissions
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.
CVE-2022-24344
5.4 - Medium
- February 25, 2022
JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.
XSS
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS
CVE-2022-24347
5.4 - Medium
- February 25, 2022
JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.
XSS
In JetBrains YouTrack before 2021.3.21051
CVE-2021-43184
5.4 - Medium
- November 09, 2021
In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.
XSS
JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.
CVE-2021-43185
9.8 - Critical
- November 09, 2021
JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.
Injection
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
CVE-2021-43186
5.4 - Medium
- November 09, 2021
JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.
XSS
In JetBrains YouTrack before 2021.2.16363
CVE-2021-37553
7.5 - High
- August 06, 2021
In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.
PRNG
In JetBrains YouTrack before 2021.2.16363
CVE-2021-37551
5.3 - Medium
- August 06, 2021
In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.
Use of Password Hash With Insufficient Computational Effort
In JetBrains YouTrack before 2021.2.17925
CVE-2021-37552
5.4 - Medium
- August 06, 2021
In JetBrains YouTrack before 2021.2.17925, stored XSS was possible.
XSS
In JetBrains YouTrack before 2021.3.21051
CVE-2021-37554
4.3 - Medium
- August 06, 2021
In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.
Information Disclosure
In JetBrains YouTrack before 2021.1.11111
CVE-2021-37549
9.1 - Critical
- August 06, 2021
In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient.
In JetBrains YouTrack before 2021.2.16363
CVE-2021-37550
7.5 - High
- August 06, 2021
In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used.
Incorrect Comparison
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for JetBrains Youtrack or by JetBrains? Click the Watch button to subscribe.
