CVE-2026-6841
Analyzed Analyzed - Analysis Complete
Reflected XSS in Request Tracker via Page Parameter

Publication date: 2026-05-21

Last updated on: 2026-06-01

Assigner: CERT.PL

Description
Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up toΒ 6.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-06-01
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-6841
EUVD
EUVD-2026-31269
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
bestpractical request_tracker From 5.0.4 (inc) to 5.0.10 (exc)
bestpractical request_tracker From 6.0.0 (inc) to 6.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6841 is a reflected cross-site scripting (XSS) vulnerability in Request Tracker (RT) affecting versions 5.0.4 to 5.0.9 and 6.0.0 to 6.0.2.

The vulnerability occurs via the "Page" parameter in GET requests, where insufficient escaping allows an attacker to craft a malicious URL.

If a victim opens this malicious URL, arbitrary JavaScript code can be executed in their browser within the context of the RT application.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the victim's browser when they click a specially crafted malicious link.

Such execution can lead to session hijacking, theft of sensitive information, or performing actions on behalf of the user within the RT application.

The attacker exploits the vulnerability by tricking users into clicking malicious URLs that exploit the insufficient escaping of the "Page" parameter.

Mitigation Strategies

To mitigate the reflected cross-site scripting (XSS) vulnerability in Request Tracker, you should upgrade your RT installation to a fixed version.

  • Upgrade to RT version 6.0.3 or later if you are using the 6.0.x series.
  • Upgrade to RT version 5.0.10 or later if you are using the 5.0.x series.

These versions include security fixes that properly escape the vulnerable "Page" URL parameter, preventing arbitrary JavaScript execution.

Compliance Impact

The provided information does not specify how the reflected cross-site scripting (XSS) vulnerability in Request Tracker impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability is a reflected cross-site scripting (XSS) issue via the "Page" parameter in GET requests to Request Tracker versions 5.0.4 up to 5.0.9 and 6.0.0 up to 6.0.2.

To detect this vulnerability on your system or network, you can attempt to send crafted HTTP GET requests to the affected RT instance, injecting JavaScript code into the "Page" parameter and observing if the payload is reflected and executed in the response.

A simple command using curl to test might be:

  • curl -i 'http://[RT-server]/Search/Results.html?Page=<script>alert(1)</script>'

If the response contains the injected script tag without proper escaping or encoding, the system is vulnerable.

Additionally, monitoring web traffic for suspicious URLs containing script tags or unusual parameters in the "Page" parameter can help detect exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6841. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart