HarborGuard / CVE
Back to search
HIGHCVE-2026-49368Published Modified CNA JetBrains

CVE-2026-49368: In JetBrains YouTrack before 2026

In JetBrains YouTrack before 2026.1.13162 stored XSS in project notification templates was possible

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a stored cross-site scripting (XSS) bug in JetBrains YouTrack, where malicious script content can be saved into project notification templates and later rendered in another user's browser session. The flaw is reachable over the network and requires a low-privilege YouTrack account plus a victim who views the affected notification, after which the attacker's script runs in the victim's session and can read or tamper with YouTrack content the victim can access. A patched-image rebuild at 2026.1.13162 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against YouTrack images in customer registries and pipelines. Coverage includes custom-built images that bundle or derive from JetBrains YouTrack.

Available
Triage

Triage is available with the published CVSS 3.1 score of 8.7 (High) weighted against each customer's compliance policy, so the same CVE can land at different priorities in different environments. Findings are routed to the inbox configured for the owning team inside each customer org.

Available
Patch

A patched-image rebuild at YouTrack 2026.1.13162 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, the rebuild is generated, run through regression tests, and proposed as a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the YouTrack web interface over the network to plant the malicious template content.

  • AuthenticationRequired

    A low-privilege YouTrack account with permission to edit project notification templates is sufficient; no admin role is needed.

  • Victim interactionRequired

    Exploitation fires when a separate YouTrack user views or receives the rendered notification containing the injected script.

  • Attack complexityDetail

    Attack complexity is low: the stored payload triggers reliably whenever the notification is rendered, with no race or environmental dependency.

Blast Radius

  • Executes attacker-controlled JavaScript in the victim's authenticated YouTrack session, reading issues, comments, and project data the victim can see.
  • Performs actions as the victim, including modifying issues, comments, or notification templates, which can be used to pivot to additional users.
  • Can exfiltrate session tokens or other browser-accessible credentials tied to the YouTrack origin, enabling continued access without re-exploitation.

How HarborGuard Handles This

Available on HarborGuard: a patched-image rebuild at YouTrack 2026.1.13162 is published for any environment still running an affected version. For customers with auto-remediation enabled, the rebuild is regression-tested and a pull request is opened against affected workloads automatically; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. Customers who keep remediation manual see the same rebuild and PR draft staged in their HarborGuard inbox for review and merge on their own schedule.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.7
Severity
HIGH
Fixed in
2026.1.13162
Affected Products
1

Fix available

2026.1.13162
Affected packages
  • JetBrains / YouTrack
    < 2026.1.13162 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
References