Description
In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack
Published: 2026-06-26
Score: 2.6 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a prototype pollution flaw in the websandbox bridge of JetBrains YouTrack before 2026.2.16593. An attacker can alter the prototypes of core JavaScript objects through crafted input, leading to unintended behavior or leaks. This weakness is classified as CWE‑1321.

Affected Systems

Affected systems are JetBrains YouTrack installations running any version earlier than 2026.2.16593. No other products or major patches are listed. The vulnerability does not affect related services beyond the embedded websandbox component.

Risk and Exploitability

The CVSS score of 2.6 indicates low severity, and the EPSS score is not available, so known exploitation activity cannot be confirmed. The vulnerability appears to require an attacker to supply malicious data to the websandbox bridge, which could be achieved by exploiting other web application weakness or through insecure configuration. Since it is not listed in the CISA Known Exploited Vulnerabilities catalog, there is currently no evidence of active exploitation.

Generated by OpenCVE AI on June 26, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetBrains YouTrack to version 2026.2.16593 or newer.
  • If upgrade is not yet feasible, disable or restrict access to the websandbox bridge component to prevent external input from reaching it.
  • Monitor the application logs for prototype changes and anomalous script execution, and adjust internal security policies accordingly.

Generated by OpenCVE AI on June 26, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetbrains
Jetbrains youtrack
Vendors & Products Jetbrains
Jetbrains youtrack

Fri, 26 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Prototype Pollution in JetBrains YouTrack Websandbox Bridge Before 2026.2.16593

Fri, 26 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Jetbrains Youtrack
cve-icon MITRE

Status: PUBLISHED

Assigner: JetBrains

Published:

Updated: 2026-06-26T13:45:02.085Z

Reserved: 2026-06-26T12:21:24.396Z

Link: CVE-2026-57926

cve-icon Vulnrichment

Updated: 2026-06-26T13:26:28.119Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')