CVE-2026-6841
Awaiting Analysis Awaiting Analysis - Queue
Reflected XSS in Request Tracker via Page Parameter

Publication date: 2026-05-21

Last updated on: 2026-05-21

Assigner: CERT.PL

Description
Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up toΒ 6.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-21
Generated
2026-05-21
AI Q&A
2026-05-21
EPSS Evaluated
N/A
NVD
CVE-2026-6841
EUVD
EUVD-2026-31269
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
bestpractical request_tracker From 5.0.4 (inc) to 5.0.9 (inc)
bestpractical request_tracker From 6.0.0 (inc) to 6.0.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-6841 is a reflected cross-site scripting (XSS) vulnerability in Request Tracker (RT) affecting versions 5.0.4 to 5.0.9 and 6.0.0 to 6.0.2.

The vulnerability occurs via the "Page" parameter in GET requests, where insufficient escaping allows an attacker to craft a malicious URL.

If a victim opens this malicious URL, arbitrary JavaScript code can be executed in their browser within the context of the RT application.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how the reflected cross-site scripting (XSS) vulnerability in Request Tracker impacts compliance with common standards and regulations such as GDPR or HIPAA.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the victim's browser when they click a specially crafted malicious link.

Such execution can lead to session hijacking, theft of sensitive information, or performing actions on behalf of the user within the RT application.

The attacker exploits the vulnerability by tricking users into clicking malicious URLs that exploit the insufficient escaping of the "Page" parameter.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the reflected cross-site scripting (XSS) vulnerability in Request Tracker, you should upgrade your RT installation to a fixed version.

  • Upgrade to RT version 6.0.3 or later if you are using the 6.0.x series.
  • Upgrade to RT version 5.0.10 or later if you are using the 5.0.x series.

These versions include security fixes that properly escape the vulnerable "Page" URL parameter, preventing arbitrary JavaScript execution.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart