JetBrains Youtrack
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in JetBrains Youtrack.
By the Year
In 2025 there have been 15 vulnerabilities in JetBrains Youtrack with an average score of 6.0 out of ten. Last year, in 2024 Youtrack had 28 security vulnerabilities published. Right now, Youtrack is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 0.14
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 15 | 5.95 |
| 2024 | 28 | 6.09 |
| 2023 | 4 | 6.13 |
| 2022 | 7 | 5.87 |
| 2021 | 21 | 6.56 |
| 2020 | 18 | 5.89 |
| 2019 | 11 | 7.70 |
It may take a day or so for new Youtrack vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent JetBrains Youtrack Security Vulnerabilities
YouTrack <2025.3.104432 Race Condition Bypass Helpdesk Agent Limit
CVE-2025-64773
2.7 - Low
- November 11, 2025
In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit
Race Condition
JetBrains YouTrack <2025.3.104432 insecure Junie config: data exfil + auth chg
CVE-2025-64690
5.4 - Medium
- November 10, 2025
In JetBrains YouTrack before 2025.3.104432 insecure Junie configuration could lead to data exposure and unauthorized changes
AuthZ
YouTrack <=2025.3.104432 Junie Token Leak via Misconfig
CVE-2025-64689
9.6 - Critical
- November 10, 2025
In JetBrains YouTrack before 2025.3.104432 misconfiguration in the Junie could lead to exposure of the global Junie token
Insufficiently Protected Credentials
JetBrains YouTrack <2025.3.104432 URL Validation Flaw: Unauthorized Repo Access
CVE-2025-64688
7.4 - High
- November 10, 2025
In JetBrains YouTrack before 2025.3.104432 missing VCS URL validation allowed delegation to unauthorized repositories from the Junie widget
Insecure Direct Object Reference / IDOR
JetBrains YouTrack <2025.3.104432 Improper Access Control in MCP Logic
CVE-2025-64687
5.4 - Medium
- November 10, 2025
In JetBrains YouTrack before 2025.3.104432 improper access control allowed modify MCP tool logic
AuthZ
YouTrack<2025.3.104432: Auth Context Reuse via Missing Principal Cleanup
CVE-2025-64686
3.1 - Low
- November 10, 2025
In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context
Operation on a Resource after Expiration or Release
YouTrack TLS Cert Validation Bypass CVE-2025-64685 (pre 2025.3.104432)
CVE-2025-64685
8.1 - High
- November 10, 2025
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
Improper Certificate Validation
CVE-2025-64684: YouTrack < 2025.3.104432 Info Disclosure via Feedback Form
CVE-2025-64684
4.5 - Medium
- November 10, 2025
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
AuthZ
YouTrack XSS via Mermaid diagram pre-2025.2.92387
CVE-2025-57731
- August 20, 2025
In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content
XSS
YouTrack XSS via iframe sandbox bypass before 2025.2.86935
CVE-2025-54527
- July 28, 2025
In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions
Clickjacking
YouTrack < 2025.2.86069 Email Spoofing via Admin API
CVE-2025-53959
- July 15, 2025
In JetBrains YouTrack before 2025.2.86069, 2024.3.85077, 2025.1.86199 email spoofing via an administrative API was possible
AuthZ
YouTrack <2025.1.74704> restricted attachments visible after cloning
CVE-2025-47850
- May 20, 2025
In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning
Missing Authentication for Critical Function
JetBrains YouTrack <=2025.1.76253 API: Issue Deletion w/o Permission Check
CVE-2025-48391
- May 20, 2025
In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API
Missing Authentication for Critical Function
YouTrack Before 2024.3 Permanent Tokens Logged in Logs
CVE-2025-24457
5.5 - Medium
- January 21, 2025
In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs
Insertion of Sensitive Information into Log File
Account Takeover: JetBrains YouTrack <2024.3.55417 via Email Spoof
CVE-2025-24458
7.8 - High
- January 21, 2025
In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration
Authentication Bypass by Spoofing
JetBrains YouTrack Unauthenticated Database Backup Download Vulnerability
CVE-2024-54153
6.5 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter
Missing Authentication for Critical Function
JetBrains YouTrack Path Traversal Vulnerability in Plugin Sandbox
CVE-2024-54154
9.8 - Critical
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox
Directory traversal
JetBrains YouTrack Improper Access Control Vulnerability in Project Listing
CVE-2024-54155
5.3 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication
Missing Authentication for Critical Function
JetBrains YouTrack Multiple Merge Functions Prototype Pollution Vulnerability
CVE-2024-54156
6.5 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack
Prototype Pollution
JetBrains YouTrack Ruby Syntax Detector ReDoS Vulnerability
CVE-2024-54157
6.5 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector
ReDoS
JetBrains YouTrack Punycode Encoding Spoofing Vulnerability
CVE-2024-54158
5.3 - Medium
- December 04, 2024
In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding
Authentication Bypass by Spoofing
YouTrack <2024.3.47707> XSS via Improper HTML Sanitization in Markdown
CVE-2024-50582
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements
XSS
JetBrains YouTrack <2024.3.47707: XSS via comment tag
CVE-2024-50581
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag
XSS
YouTrack XSS via insecure markdown parsing before 2024.3.47707
CVE-2024-50580
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule
XSS
JetBrains YouTrack 2024.3.47707 Reflected XSS via Insecure Link Sanitization
CVE-2024-50579
6.1 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible
XSS
JetBrains YouTrack 2024.3.47707- Store XSS via Sprint Value on Agile Boards
CVE-2024-50578
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page
XSS
ReDoS in JetBrains YouTrack 2024.3 Helpdesk email header parse pre-2024.3.47707
CVE-2024-50574
7.5 - High
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality
ReDoS
Reflected XSS in JetBrains YouTrack Widget API before 2024.3.47707
CVE-2024-50575
6.1 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API
XSS
JetBrains YouTrack 2024.3.47707 Stored XSS via Vendor URL
CVE-2024-50576
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest
XSS
XSS via Angular Template Injection in JetBrains YouTrack <2024.3.47707 Hub Settings
CVE-2024-50577
5.4 - Medium
- October 28, 2024
In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings
XSS
JetBrains YouTrack <2024.3.47197: insecure iframe -> exec arbitrary JS
CVE-2024-49579
6.1 - Medium
- October 17, 2024
In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests
Improper Verification of Source of a Communication Channel
JetBrains YouTrack <2024.3.46677 Imp. Acc. Control API Delete
CVE-2024-48902
5.4 - Medium
- October 10, 2024
In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API
AuthZ
Unprivileged Workflow Restore in JetBrains YouTrack before 2024.3.44799
CVE-2024-47159
4.3 - Medium
- September 19, 2024
In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project
AuthZ
JetBrains YouTrack <2024.3.44799 Unauth Access to Global Config
CVE-2024-47160
5.3 - Medium
- September 19, 2024
In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible
AuthZ
YouTrack <=2024.3.44799 Token Exposure on Imports page
CVE-2024-47162
5.3 - Medium
- September 19, 2024
In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page
Insufficiently Protected Credentials
JetBrains YouTrack < 2024.2.34646 PrivEsc via AutoAttach Workflow
CVE-2024-38506
8.1 - High
- June 18, 2024
In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows
AuthZ
JetBrains YouTrack <2024.2.34646 - User Token Sent to 3rd Party
CVE-2024-38505
7.5 - High
- June 18, 2024
In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site
Insufficiently Protected Credentials
JetBrains YouTrack Guest Acct File Attach Enabled before v2024.2.34646
CVE-2024-38504
5.3 - Medium
- June 18, 2024
In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles
AuthZ
YouTrack SMTPS hostname validation bypass (v<=2024.1.29548)
CVE-2024-35299
7.5 - High
- May 16, 2024
In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation
Improper Certificate Validation
YouTrack < 2024.1.25893: Unauthorized workflow attach/detach (CVE-2024-28230)
CVE-2024-28230
6.5 - Medium
- March 07, 2024
In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions
AuthZ
Privilege Escalation: Restore Issues/Articles in JetBrains YouTrack <2024.1.25893
CVE-2024-28229
6.5 - Medium
- March 07, 2024
In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles
AuthZ
YouTrack HelpDesk Comment Spoofing <2024.1.25893
CVE-2024-28228
5.3 - Medium
- March 07, 2024
In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible
Authentication Bypass by Spoofing
Stored XSS via Markdown in JetBrains YouTrack < 2023.3.22666
CVE-2024-22370
5.4 - Medium
- January 09, 2024
In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible
XSS
YouTrack < 2023.3.22268: Missing authorization on inline comments
CVE-2023-50871
4.3 - Medium
- December 15, 2023
In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed
In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms
CVE-2023-38068
7.3 - High
- July 12, 2023
In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms
Insufficient anti-automation
In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible
CVE-2023-35053
7.5 - High
- June 12, 2023
In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms
In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible
CVE-2023-35054
5.4 - Medium
- June 12, 2023
In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible
XSS
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe
CVE-2022-28649
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
Clickjacking
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
CVE-2022-28650
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
XSS
In JetBrains YouTrack before 2022.1.43563 HTML code
CVE-2022-28648
5.4 - Medium
- April 05, 2022
In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered
XSS
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for JetBrains Youtrack or by JetBrains? Click the Watch button to subscribe.
