HIGH 8.7

CVE-2026-49368: JetBrains YouTrack Stored XSS in Notification Templates (CVSS 8.7)

JetBrains YouTrack versions before 2026.1.13162 contain a stored cross-site scripting (XSS) vulnerability in project notification templates. An authenticated attacker can inject malicious scripts into notification templates that will execute in the browsers of other users who view those notifications. This is a stored XSS rather than a reflected attack, meaning the payload persists and affects multiple users over time, increasing its impact potential.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.7 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-49368 is a stored XSS vulnerability affecting YouTrack's project notification template functionality. The vulnerability requires authenticated access (PR:L) and user interaction (UI:R) to exploit, but crosses trust boundaries (S:C), enabling attackers to execute arbitrary JavaScript in victims' browsers with high confidentiality and integrity impact. The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), making it practical to exploit once the attacker gains a foothold in the application.

Business impact

Stored XSS in notification templates can lead to credential theft, session hijacking, and unauthorized actions performed on behalf of compromised users. For organizations using YouTrack for project tracking and team collaboration, this creates supply-chain-like risk: an attacker with legitimate (but potentially low-privileged) access can compromise other team members, potentially including administrators. This undermines trust in your project management data and could facilitate lateral movement within integrated DevOps toolchains.

Affected systems

JetBrains YouTrack installations prior to version 2026.1.13162 are vulnerable. On-premises and cloud-hosted instances are equally affected. Any user who has authenticated access to YouTrack can craft malicious notification templates; any user who views those notifications risks exploitation.

Exploitability

Exploitation requires an authenticated user account and victim interaction (viewing a notification), keeping the CVSS base score at 8.7 rather than critical. The attack is not wormable or self-propagating. However, the low barrier to entry for authenticated users and the persistence of stored payloads make this a practical attack surface for insider threats or compromised lower-privileged accounts. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog.

Remediation

Upgrade YouTrack to version 2026.1.13162 or later. This version patches the XSS filtering in project notification templates. Organizations should prioritize this update if YouTrack is used by sensitive teams or contains business-critical project data. After patching, audit existing notification templates for suspicious content.

Patch guidance

Apply the official JetBrains YouTrack update to 2026.1.13162 or higher. Consult the JetBrains advisory for version-specific upgrade paths and any potential compatibility considerations. Verify the patch by confirming the version number in YouTrack's administration interface post-update. Organizations on maintenance contracts should also check for any supplementary hardening or rollback guidance from JetBrains support.

Detection guidance

Monitor YouTrack audit logs for creation or modification of notification templates, particularly by lower-privileged accounts or outside normal change windows. Look for templates containing script tags, event handlers (onclick, onload, etc.), or HTML entities that might encode XSS payloads. Endpoint detection platforms should flag script execution originating from YouTrack URLs or tabs. Query web access logs for unusual POST/PUT activity to notification template endpoints.

Why prioritize this

This vulnerability scores 8.7 (HIGH) due to high confidentiality and integrity impact in a cross-boundary context, combined with network accessibility and low complexity. Although it requires authentication and user interaction, the stored nature of the XSS and the ease of exploitation by any authenticated user make it a meaningful risk for organizations where YouTrack is widely accessible or where user accounts may be shared or compromised. Prioritize patching in environments with sensitive project data or integrated CI/CD pipelines.

Risk score, explained

CVSS 8.7 reflects the combination of network accessibility, low attack complexity, and high impact on confidentiality and integrity. The requirement for authentication (PR:L) and user interaction prevents a critical rating, but the cross-boundary scope (S:C) and persistence of stored XSS in a collaborative tool elevate the score significantly. Organizations managing large teams or handling regulated data should weight this accordingly in their risk model.

Frequently asked questions

Can this vulnerability be exploited without a YouTrack account?

No. CVE-2026-49368 requires authenticated access to create or modify notification templates. However, any authenticated user—regardless of privilege level—can potentially craft malicious templates, making it an insider risk as well as a concern for compromised accounts.

What versions of YouTrack are vulnerable?

All versions before 2026.1.13162 are affected. Upgrade immediately to 2026.1.13162 or later. Verify your current version in YouTrack's administration or system settings.

Is there a workaround if we cannot patch immediately?

Restrict notification template editing permissions to a small set of trusted administrators and monitor template modifications closely. However, this is a temporary mitigation only; patching is the definitive fix. Contact JetBrains support for temporary hardening options if your patch window is delayed.

Will this vulnerability lead to data exfiltration or ransomware?

The XSS itself does not directly access the database or encrypt data, but it can steal session tokens, credentials, or sensitive information displayed on-screen. Attackers could use compromised sessions to access project data, perform destructive actions, or pivot to other systems. The risk depends on your environment's integration and what sensitive data YouTrack can reach.

This analysis is provided for informational purposes and based on publicly available vulnerability data as of the publication date. Organizations should verify all technical details against official JetBrains advisories and conduct their own risk assessment. This writeup does not constitute professional security advice; consult your security team or a qualified vendor for guidance specific to your environment. Patch versions, timeline, and availability are subject to change; always verify against authoritative sources before implementing remediation. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).