CVE-2026-61492 in YouTrackinfo

Summary

by MITRE • 07/10/2026

In JetBrains YouTrack before 2026.2.17394 stored XSS via article titles in digest emails was possible

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability exists in JetBrains YouTrack versions prior to 2026.2.17394 and represents a stored cross-site scripting flaw that occurs through article titles within digest email notifications. The vulnerability stems from insufficient input validation and output encoding mechanisms when processing user-supplied data in the email digest functionality. Attackers can exploit this weakness by crafting malicious payloads in article titles that are then rendered in email templates, allowing arbitrary javascript code execution in the context of a victim's browser when they open the digest email. This type of vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws where untrusted data is improperly handled during web application output generation.

The operational impact of this vulnerability is significant as it enables attackers to execute malicious scripts against unsuspecting users who receive these digest emails. The stored nature of this vulnerability means that once a malicious article title is submitted and processed by the system, the payload remains persistent and will execute every time affected users open the digest email containing the compromised content. This creates a vector for various attack scenarios including credential theft, session hijacking, redirection to malicious sites, or data exfiltration from authenticated user sessions. The vulnerability specifically affects the email notification system where article titles are not properly sanitized before being included in HTML email templates.

The exploitation process requires an attacker to first gain access to a YouTrack instance with sufficient privileges to create or modify articles that will appear in digest emails. Once the malicious payload is embedded in an article title, it becomes part of the system's stored data and will be included in subsequent email digests sent to users with appropriate permissions. When victims open these emails, their browsers execute the embedded javascript code, potentially compromising their sessions or redirecting them to attacker-controlled domains. This vulnerability aligns with ATT&CK technique T1566 which covers social engineering through spearphishing and email-based attacks.

Mitigation strategies for this vulnerability include applying the patch released in YouTrack version 2026.2.17394 which implements proper input validation and output encoding for article titles used in email contexts. Organizations should also implement additional security controls such as email filtering rules that can detect suspicious patterns in email headers or content, regular security scanning of email templates for potential XSS vulnerabilities, and user education about recognizing potentially malicious email content. The fix typically involves implementing proper HTML escaping mechanisms when rendering user-generated content in email templates and validating all input data against established security profiles to prevent malicious payloads from being stored within the system's database.

Responsible

JetBrains

Reservation

07/10/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!