
PEACH
Un cadre d’isolation des locataires
CVE-2026-57926 is a prototype pollution vulnerability in the websandbox bridge of JetBrains YouTrack, affecting all versions before 2026.2.16593. The flaw allows attackers to modify JavaScript object prototypes through malicious input, potentially altering application behavior at runtime. It was published on June 26, 2026, with a patch released in version 2026.2.16593. NVD assigns a CVSS v3.1 base score of 9.8 (Critical), while ENISA's EUVD rates it more conservatively at 2.6 (Low) with a higher-complexity vector, reflecting differing assessments of exploitability preconditions (JetBrains Advisory, Feedly).
The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes — 'Prototype Pollution'). The websandbox bridge in YouTrack fails to properly sanitize or restrict user-controlled input before it is used to set properties on JavaScript objects, allowing an attacker to inject keys such as __proto__ or constructor.prototype to modify shared object prototypes. This can cause downstream application logic to behave unexpectedly, as polluted prototype properties are inherited by all objects of that type. Exploitation requires an authenticated user with at least standard user privileges to send a crafted request through the websandbox bridge (Feedly, EUVD).
Successful exploitation allows an authenticated attacker to tamper with the application's runtime state by polluting JavaScript object prototypes, potentially modifying application behavior, bypassing logic checks, or corrupting data integrity. The primary impact is on integrity, with possible secondary effects on availability if critical application objects are corrupted. Confidentiality impact is assessed as low to none based on the ENISA scoring, though NVD's critical rating suggests potential for broader impact depending on how polluted properties are consumed by the application (Feedly, EUVD).
{"__proto__": {"pollutedKey": "maliciousValue"}} or equivalent nested object notation targeting constructor.prototype.__proto__, constructor, or prototype submitted via API or UI endpoints associated with the websandbox bridge.JetBrains has released a fix in YouTrack version 2026.2.16593; upgrading to this version or later is the recommended remediation (JetBrains Advisory). As a workaround prior to patching, restrict access to YouTrack instances to trusted and necessary users only, and implement input validation and sanitization for all user inputs processed by the websandbox bridge. Monitor for suspicious activity patterns that may indicate attempted prototype pollution exploits.
The vulnerability received standard automated coverage across vulnerability tracking platforms including Vulners, CVEFeed, VulDB, and Tenable's plugin pipeline shortly after disclosure (Tenable). A Bluesky post from a CVE tracking account noted the disclosure. No notable independent researcher commentary, vendor blog posts, or significant media coverage has been identified beyond routine aggregation.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."