Cyber Resilience

CVE-2026-49370

Low

Published: 29 May 2026

Published
29 May 2026
Modified
01 June 2026
KEV Added
Patch
CVSS Score v3.1 3.4 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:N/A:N
EPSS Score 0.0023 13.5th percentile
Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-49370 is a low-severity Insertion of Sensitive Information Into Sent Data (CWE-201) vulnerability in Jetbrains Youtrack. Its CVSS base score is 3.4 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

In JetBrains YouTrack before 2026.1.13162 information disclosure was possible on fetchApp requests

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

Info disclosure vuln in public-facing YouTrack app directly enables T1190 exploitation and facilitates T1082 system info gathering via fetchApp requests.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

Affected Assets

jetbrains
youtrack
≤ 2026.1.13162

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-201

Embedding taints allows detection when sensitive data is inserted into outbound or sent data streams.

References