JetBrains YouTrack up to 2025.3.121962 special elements used in a template engine

Summaryinfo

A vulnerability was found in JetBrains YouTrack. It has been rated as problematic. This issue affects some unknown processing. The manipulation leads to improper neutralization of special elements used in a template engine. This vulnerability is listed as CVE-2026-33392. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in JetBrains YouTrack and classified as problematic. This issue affects an unknown function. The manipulation with an unknown input leads to a improper neutralization of special elements used in a template engine vulnerability. Using CWE to declare the problem leads to CWE-1336. The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

In JetBrains YouTrack before 2025.3.131383 high privileged user can achieve RCE via sandbox bypass

It is possible to read the advisory at jetbrains.com. The identification of this vulnerability is CVE-2026-33392 since 03/19/2026. The exploitation is known to be easy. The attack may be initiated remotely. Additional levels of successful authentication are necessary for exploitation. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1221 according to MITRE ATT&CK.

Upgrading to version 2025.3.131383 eliminates this vulnerability.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Bug Tracking Software

Vendor

• JetBrains

Name

• YouTrack

Version

• 1.8.1.3
• 2018.4.49168
• 2018.4.49852
• 2019.1
• 2019.1.52545
• 2019.1.52584
• 2019.1.65514
• 2019.2.53938
• 2019.2.55152
• 2019.2.59309
• 2019.2.65515
• 2019.3.65516
• 2020.1.659
• 2020.1.1331
• 2020.1.11011
• 2020.2.0
• 2020.2.6881
• 2020.2.8527
• 2020.2.8873
• 2020.2.10514
• 2020.2.10643
• 2020.2.11008
• 2020.3.888
• 2020.3.4313
• 2020.3.5333
• 2020.3.6638
• 2020.3.7955
• 2020.4.4701
• 2020.4.6808
• 2020.5.3123
• 2020.6.1099
• 2020.6.1767
• 2020.6.6441
• 2020.6.6600
• 2020.6.8801
• 2021.1.9819
• 2021.1.11111
• 2021.2
• 2021.2.16363
• 2021.2.17925
• 2021.3.21051
• 2021.3.23639
• 2021.3.24402
• 2021.4.31698
• 2021.4.36872
• 2021.4.40426
• 2022.1.43563
• 2022.1.43700
• 2023.1.10518
• 2023.1.16597
• 2023.3.22268
• 2023.3.22666
• 2024.1.25893
• 2024.1.29548
• 2024.2.34646
• 2024.3.44799
• 2024.3.46677
• 2024.3.47197
• 2024.3.47707
• 2024.3.51866
• 2024.3.52635
• 2024.3.55417
• 2024.3.85077
• 2025.1.74704
• 2025.1.76253
• 2025.1.86199
• 2025.2.86069
• 2025.2.86935
• 2025.2.87167
• 2025.2.92387
• 2025.3.87341
• 2025.3.87344
• 2025.3.104432
• 2025.3.119033
• 2025.3.121962

License

• free

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion