Description
In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

JetBrains YouTrack versions prior to 2026.1.13162 allow a stored cross‑site scripting (XSS) vulnerability in project notification templates. The flaw enables attackers to inject malicious scripts that execute in the browsers of users who view affected notifications, potentially exposing sensitive data, hijacking sessions, or performing other client‑side attacks. This weakness is identified as CWE‑79.

Affected Systems

JetBrains YouTrack before 2026.1.13162 is affected. No other vendors or versions are listed.

Risk and Exploitability

The CVSS score is 8.7, indicating high severity, while no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker submitting a malicious template via the YouTrack user interface, which is then stored and rendered for other users. Because the vulnerability requires access to the template editing feature, attackers must first depend on user credentials or compromised accounts with edit rights. Once a template is stored, any user who views it will be exposed to the injected script.

Generated by OpenCVE AI on May 29, 2026 at 19:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains YouTrack to version 2026.1.13162 or later.
  • If an upgrade is not immediately possible, restrict access to notification template editing to trusted administrators only.
  • As a temporary safeguard, disable or remove the ability to create or edit notification templates for untrusted users to prevent the abuse of the stored XSS flaw.

Generated by OpenCVE AI on May 29, 2026 at 19:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains youtrack
Vendors & Products Jetbrains
Jetbrains youtrack

Fri, 29 May 2026 20:00:00 +0000

Type Values Removed Values Added
Title Stored Cross‑Site Scripting in JetBrains YouTrack Notification Templates

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Description In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Jetbrains Youtrack
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-05-29T19:31:08.334Z

Reserved: 2026-05-29T18:07:53.529Z

Link: CVE-2026-49368

cve-icon Vulnrichment

Updated: 2026-05-29T19:31:03.270Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T19:16:26.553

Modified: 2026-05-29T20:11:15.977

Link: CVE-2026-49368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T20:00:05Z

Weaknesses