Reflected XSS in Request Tracker_CVE-2026-6841

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Description

Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.

This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.

Basic Information

ID CVE-2026-6841

Source CERT-PL

Published May 21, 2026 at 11:49

Modified May 21, 2026 at 12:45

Affected Product

Vendor Best Practical

Product Request Tracker

Version 5.0.4

Affected Versions Best Practical Request Tracker 5.0.4
Best Practical Request Tracker 6.0.0

CWE Classification

CWE-79

References

{
    "lastseen": "",
    "description": "Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the \"Page\" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim\u2019s browser.\n\nThis vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to\u00a06.0.2.",
    "published": "2026-05-21T11:49:07.533Z",
    "modified": "2026-05-21T12:45:14.647Z",
    "type": "cve",
    "title": "Reflected XSS in Request Tracker",
    "source": "CERT-PL",
    "references": "https://cert.pl/en/posts/2026/05/CVE-2026-6841\nhttps://requesttracker.com/request-tracker/\nhttps://docs.bestpractical.com/release-notes/rt/5.0.10\nhttps://docs.bestpractical.com/release-notes/rt/6.0.3",
    "id": "CVE-2026-6841",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "Best Practical Request Tracker 5.0.4\nBest Practical Request Tracker 6.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Request Tracker",
    "version": "5.0.4",
    "vendor": "Best Practical",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}