Youtrack JetBrains Youtrack

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in JetBrains Youtrack.

By the Year

In 2025 there have been 2 vulnerabilities in JetBrains Youtrack with an average score of 6.7 out of ten. Last year, in 2024 Youtrack had 28 security vulnerabilities published. Right now, Youtrack is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.56.




Year Vulnerabilities Average Score
2025 2 6.65
2024 28 6.09
2023 4 6.13
2022 7 5.87
2021 21 6.56
2020 18 5.89
2019 11 7.70
2018 0 0.00

It may take a day or so for new Youtrack vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent JetBrains Youtrack Security Vulnerabilities

In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs

CVE-2025-24457 5.5 - Medium - January 21, 2025

In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs

Insertion of Sensitive Information into Log File

In JetBrains YouTrack before 2024.3.55417 account takeover was possible

CVE-2025-24458 7.8 - High - January 21, 2025

In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration

Authentication Bypass by Spoofing

JetBrains YouTrack Improper Access Control Vulnerability in Project Listing

CVE-2024-54155 5.3 - Medium - December 04, 2024

In JetBrains YouTrack before 2024.3.51866 improper access control allowed listing of project names during app import without authentication

Missing Authentication for Critical Function

JetBrains YouTrack Punycode Encoding Spoofing Vulnerability

CVE-2024-54158 5.3 - Medium - December 04, 2024

In JetBrains YouTrack before 2024.3.52635 potential spoofing attack was possible via lack of Punycode encoding

Authentication Bypass by Spoofing

JetBrains YouTrack Ruby Syntax Detector ReDoS Vulnerability

CVE-2024-54157 6.5 - Medium - December 04, 2024

In JetBrains YouTrack before 2024.3.52635 potential ReDoS was possible due to vulnerable RegExp in Ruby syntax detector

ReDoS

JetBrains YouTrack Multiple Merge Functions Prototype Pollution Vulnerability

CVE-2024-54156 6.5 - Medium - December 04, 2024

In JetBrains YouTrack before 2024.3.52635 multiple merge functions were vulnerable to prototype pollution attack

Prototype Pollution

JetBrains YouTrack Path Traversal Vulnerability in Plugin Sandbox

CVE-2024-54154 9.8 - Critical - December 04, 2024

In JetBrains YouTrack before 2024.3.51866 system takeover was possible through path traversal in plugin sandbox

Directory traversal

JetBrains YouTrack Unauthenticated Database Backup Download Vulnerability

CVE-2024-54153 6.5 - Medium - December 04, 2024

In JetBrains YouTrack before 2024.3.51866 unauthenticated database backup download was possible via vulnerable query parameter

Missing Authentication for Critical Function

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible

CVE-2024-50579 6.1 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 reflected XSS due to insecure link sanitization was possible

XSS

In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule

CVE-2024-50580 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 multiple XSS were possible due to insecure markdown parsing and custom rendering rule

XSS

In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack

CVE-2024-50581 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 improper HTML sanitization could lead to XSS attack via comment tag

XSS

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements

CVE-2024-50582 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible due to improper HTML sanitization in markdown elements

XSS

In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible

CVE-2024-50574 7.5 - High - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 potential ReDoS exploit was possible via email header parsing in Helpdesk functionality

ReDoS

In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API

CVE-2024-50575 6.1 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 reflected XSS was possible in Widget API

XSS

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible

CVE-2024-50576 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via vendor URL in App manifest

XSS

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible

CVE-2024-50577 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via Angular template injection in Hub settings

XSS

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible

CVE-2024-50578 5.4 - Medium - October 28, 2024

In JetBrains YouTrack before 2024.3.47707 stored XSS was possible via sprint value on agile boards page

XSS

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe

CVE-2024-49579 6.1 - Medium - October 17, 2024

In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests

Improper Verification of Source of a Communication Channel

In JetBrains YouTrack before 2024.3.46677 improper access control

CVE-2024-48902 5.4 - Medium - October 10, 2024

In JetBrains YouTrack before 2024.3.46677 improper access control allowed users with project update permission to delete applications via API

AuthZ

In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project

CVE-2024-47159 4.3 - Medium - September 19, 2024

In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached to a project

AuthZ

In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible

CVE-2024-47160 5.3 - Medium - September 19, 2024

In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible

AuthZ

In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page

CVE-2024-47162 5.3 - Medium - September 19, 2024

In JetBrains YouTrack before 2024.3.44799 token could be revealed on Imports page

Insufficiently Protected Credentials

In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles

CVE-2024-38504 5.3 - Medium - June 18, 2024

In JetBrains YouTrack before 2024.2.34646 the Guest User Account was enabled for attaching files to articles

AuthZ

In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site

CVE-2024-38505 7.5 - High - June 18, 2024

In JetBrains YouTrack before 2024.2.34646 user access token was sent to the third-party site

Insufficiently Protected Credentials

In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows

CVE-2024-38506 8.1 - High - June 18, 2024

In JetBrains YouTrack before 2024.2.34646 user without appropriate permissions could enable the auto-attach option for workflows

AuthZ

In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation

CVE-2024-35299 7.5 - High - May 16, 2024

In JetBrains YouTrack before 2024.1.29548 the SMTPS protocol communication lacked proper certificate hostname validation

Improper Certificate Validation

In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles

CVE-2024-28229 6.5 - Medium - March 07, 2024

In JetBrains YouTrack before 2024.1.25893 user without appropriate permissions could restore issues and articles

AuthZ

In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible

CVE-2024-28228 5.3 - Medium - March 07, 2024

In JetBrains YouTrack before 2024.1.25893 creation comments on behalf of an arbitrary user in HelpDesk was possible

Authentication Bypass by Spoofing

In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions

CVE-2024-28230 6.5 - Medium - March 07, 2024

In JetBrains YouTrack before 2024.1.25893 attaching/detaching workflow to a project was possible without project admin permissions

AuthZ

In JetBrains YouTrack before 2023.3.22666 stored XSS

CVE-2024-22370 5.4 - Medium - January 09, 2024

In JetBrains YouTrack before 2023.3.22666 stored XSS via markdown was possible

XSS

In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed

CVE-2023-50871 4.3 - Medium - December 15, 2023

In JetBrains YouTrack before 2023.3.22268 authorization check for inline comments inside thread replies was missed

In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms

CVE-2023-38068 7.3 - High - July 12, 2023

In JetBrains YouTrack before 2023.1.16597 captcha was not properly validated for Helpdesk forms

Insufficient anti-automation

In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible

CVE-2023-35053 7.5 - High - June 12, 2023

In JetBrains YouTrack before 2023.1.10518 a DoS attack was possible via Helpdesk forms

In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible

CVE-2023-35054 5.4 - Medium - June 12, 2023

In JetBrains YouTrack before 2023.1.10518 stored XSS in a Markdown-rendering engine was possible

XSS

In JetBrains YouTrack before 2022.1.43563 HTML code

CVE-2022-28648 5.4 - Medium - April 05, 2022

In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered

XSS

In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe

CVE-2022-28649 5.4 - Medium - April 05, 2022

In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description

Clickjacking

In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI

CVE-2022-28650 5.4 - Medium - April 05, 2022

In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI

XSS

JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection)

CVE-2022-24442 9.8 - Critical - February 25, 2022

JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.

Code Injection

In JetBrains YouTrack before 2021.4.31698

CVE-2022-24343 4.3 - Medium - February 25, 2022

In JetBrains YouTrack before 2021.4.31698, a custom logo could be set by a user who has read-only permissions.

Incorrect Default Permissions

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.

CVE-2022-24344 5.4 - Medium - February 25, 2022

JetBrains YouTrack before 2021.4.31698 was vulnerable to stored XSS on the Notification templates page.

XSS

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS

CVE-2022-24347 5.4 - Medium - February 25, 2022

JetBrains YouTrack before 2021.4.36872 was vulnerable to stored XSS via a project icon.

XSS

In JetBrains YouTrack before 2021.3.21051

CVE-2021-43184 5.4 - Medium - November 09, 2021

In JetBrains YouTrack before 2021.3.21051, stored XSS is possible.

XSS

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.

CVE-2021-43185 9.8 - Critical - November 09, 2021

JetBrains YouTrack before 2021.3.23639 is vulnerable to Host header injection.

Injection

JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.

CVE-2021-43186 5.4 - Medium - November 09, 2021

JetBrains YouTrack before 2021.3.24402 is vulnerable to stored XSS.

XSS

In JetBrains YouTrack before 2021.2.16363

CVE-2021-37553 7.5 - High - August 06, 2021

In JetBrains YouTrack before 2021.2.16363, an insecure PRNG was used.

PRNG

In JetBrains YouTrack before 2021.2.16363

CVE-2021-37551 5.3 - Medium - August 06, 2021

In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.

Use of Password Hash With Insufficient Computational Effort

In JetBrains YouTrack before 2021.2.17925

CVE-2021-37552 5.4 - Medium - August 06, 2021

In JetBrains YouTrack before 2021.2.17925, stored XSS was possible.

XSS

In JetBrains YouTrack before 2021.3.21051

CVE-2021-37554 4.3 - Medium - August 06, 2021

In JetBrains YouTrack before 2021.3.21051, a user could see boards without having corresponding permissions.

Information Disclosure

In JetBrains YouTrack before 2021.1.11111

CVE-2021-37549 9.1 - Critical - August 06, 2021

In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient.

In JetBrains YouTrack before 2021.2.16363

CVE-2021-37550 7.5 - High - August 06, 2021

In JetBrains YouTrack before 2021.2.16363, time-unsafe comparisons were used.

Incorrect Comparison

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for JetBrains Youtrack or by JetBrains? Click the Watch button to subscribe.

JetBrains
Vendor

subscribe