CVE-2026-28193
In JetBrains YouTrack before 2025.3.121962 apps were able to send requests to the app permissions endpoint
CVE-2026-25846
In JetBrains YouTrack before 2025.3.119033 access tokens could be exposed in Mailbox logs
CVE-2025-64773
In JetBrains YouTrack before 2025.3.104432 a race condition allowed bypass of helpdesk Agent limit
CVE-2025-64685
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
CVE-2025-64684
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
CVE-2025-57731
In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content
CVE-2025-54527
In JetBrains YouTrack before 2025.2.86935,
2025.2.87167,
2025.3.87341,
2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions
CVE-2025-53959
In JetBrains YouTrack before 2025.2.86069,
2024.3.85077,
2025.1.86199 email spoofing via an administrative API was possible
CVE-2025-48391
In JetBrains YouTrack before 2025.1.76253 deletion of issues was possible due to missing permission checks in API
CVE-2025-47850
In JetBrains YouTrack before 2025.1.74704 restricted attachments could become visible after issue cloning
CVE-2025-24458
In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration
CVE-2025-24457
In JetBrains YouTrack before 2024.3.55417 permanent tokens could be exposed in logs