CVE-2026-49368
Stored XSS in JetBrains YouTrack
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: JetBrains s.r.o.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jetbrains | youtrack | to 2026.1.13162 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue found in JetBrains YouTrack versions before 2026.1.13162. It occurs in project notification templates, where malicious scripts can be injected and stored, potentially executed when users view the affected templates.
How can this vulnerability impact me? :
The impact of this vulnerability is significant as it allows attackers to execute malicious scripts in the context of the affected application. According to the CVSS score of 8.7, it can lead to high confidentiality and integrity impacts, such as unauthorized access to sensitive information or manipulation of data, but it does not affect availability.