CVE-2026-57926 (CVSS 2.6) — In JetBrains YouTrack before 2026.2.16593 the websandbox bridge was vulnerable to a prototype pollution attack

A new vulnerability has been published under CVE-2026-57926, affecting JetBrains YouTrack versions prior to 2026.2.16593. The issue involves a prototype pollution attack in the websandbox bridge, which could allow an attacker to manipulate object properties in the application's runtime environment. Despite a low CVSS score of 2.6, this type of vulnerability can potentially lead to unexpected behavior or security bypasses in certain contexts, particularly if combined with other weaknesses.

Organizations using JetBrains YouTrack for issue tracking and project management are affected, especially those in software development, IT services, and regulated sectors such as finance, healthcare, or government where data integrity and access controls are critical. Any entity running an unpatched version of YouTrack should treat this as a priority for remediation, even with the low severity rating, due to the potential for exploitation in multi-tenant or high-security environments.

Compliance teams should immediately verify that all YouTrack instances are updated to version 2026.2.16593 or later. If immediate patching is not possible, implement network-level restrictions to limit access to the websandbox feature and monitor for unusual activity. Document the assessment and remediation steps in your vulnerability management records, as regulators may expect evidence of timely response to known CVEs, regardless of severity.