In JetBrains YouTrack before 2021.1.11111, sandboxing in workflows was insufficient.
youtrack
CVE-2021-25768
In JetBrains YouTrack before 2020.4.4701, permissions for attachments actions were checked improperly.
CVE-2022-28650
In JetBrains YouTrack before 2022.1.43700 it was possible to inject JavaScript into Markdown in the YouTrack Classic UI
CVE-2022-28649
In JetBrains YouTrack before 2022.1.43563 it was possible to include an iframe from a third-party domain in the issue description
CVE-2022-28648
In JetBrains YouTrack before 2022.1.43563 HTML code from the issue description was being rendered
CVE-2022-24442
JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates.