PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49368 JetBrains CVE debrief

JetBrains YouTrack versions prior to 2026.1.13162 contain a stored cross-site scripting (XSS) vulnerability in project notification templates. An authenticated attacker with low privileges can inject malicious scripts into notification templates, which execute when rendered in other users' browsers. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) indicates network attack vector, low attack complexity, low privileges required, user interaction required, changed scope, high confidentiality and integrity impact, with no availability impact. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). JetBrains has addressed this issue in YouTrack 2026.1.13162.

Vendor
JetBrains
Product
YouTrack
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations using JetBrains YouTrack for issue tracking and project management, particularly those with multi-user environments where notification templates are customizable by non-administrative users. Security teams responsible for application security in development toolchains. Compliance teams tracking vulnerability remediation for software development infrastructure.

Technical summary

Stored XSS in project notification templates allows script injection by low-privilege authenticated users. Malicious scripts execute in context of other users' sessions when notifications are rendered. Scope change indicates impact beyond vulnerable component. No availability impact per CVSS. Fixed in YouTrack 2026.1.13162.

Defensive priority

HIGH

Recommended defensive actions

  • Upgrade JetBrains YouTrack to version 2026.1.13162 or later.
  • Review project notification templates for unauthorized modifications if running affected versions.
  • Implement Content Security Policy (CSP) headers as defense-in-depth for web applications.
  • Audit user accounts with permissions to modify notification templates.
  • Monitor for suspicious script content in notification template configurations.

Evidence notes

Vulnerability confirmed by JetBrains security advisory. Fix version 2026.1.13162 explicitly stated. CVSS 8.7 (HIGH) per NVD. CWE-79 classification from official source.

Official resources

2026-05-29T19:16:26.553Z