Skip to main content

Request Tracker

27 CVEs product

Monthly

CVE-2026-6841 MEDIUM PATCH This Month

Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.

XSS Request Tracker
NVD
CVSS 4.0
5.1
EPSS
0.1%
CVE-2025-31501 HIGH This Month

Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Request Tracker
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-31500 HIGH This Month

Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Request Tracker
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-30087 HIGH This Month

Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Request Tracker
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2023-45024 HIGH PATCH This Week

Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Request Tracker
NVD
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-41260 HIGH This Week

Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Tracker
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2023-41259 HIGH This Week

Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Tracker
NVD
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-25803 MEDIUM PATCH This Month

Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Request Tracker
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2022-25802 MEDIUM PATCH This Month

Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Request Tracker
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2021-38562 HIGH PATCH This Week

Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Request Tracker Fedora Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
CVE-2017-5944 HIGH This Week

The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Request Tracker
NVD
CVSS 3.0
8.8
EPSS
4.2%
CVE-2017-5943 HIGH This Week

Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Request Tracker
NVD
CVSS 3.0
8.8
EPSS
0.4%
CVE-2017-5361 MEDIUM This Month

Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Request Tracker
NVD
CVSS 3.0
5.9
EPSS
0.4%
CVE-2016-6127 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS File Upload Request Tracker
NVD
CVSS 3.0
6.1
EPSS
0.3%
CVE-2015-6506 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Request Tracker
NVD GitHub
CVSS 2.0
4.3
EPSS
0.4%
CVE-2015-5475 MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker (RT) 4.x before 4.2.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) user and (2). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Request Tracker
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2015-1464 MEDIUM This Month

RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Fedora Request Tracker
NVD
CVSS 2.0
6.4
EPSS
0.3%
CVE-2015-1165 MEDIUM This Month

RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Debian Linux Fedora Request Tracker
NVD
CVSS 2.0
5.0
EPSS
0.4%
CVE-2014-9472 HIGH This Week

The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Debian Linux Fedora Request Tracker
NVD
CVSS 2.0
7.1
EPSS
0.9%
CVE-2013-3737 MEDIUM PATCH This Month

The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Request Tracker
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2013-3736 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13 allows remote attackers to inject arbitrary web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Request Tracker Rt Extension Mobileui
NVD VulDB
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-6581 MEDIUM PATCH This Month

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to bypass intended restrictions on reading keys in the product's keyring, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Request Tracker
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2012-6580 MEDIUM PATCH This Month

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ensure that the UI labels unencrypted messages as unencrypted, which might make it easier for. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Request Tracker
NVD
CVSS 2.0
4.3
EPSS
0.1%
CVE-2012-6579 MEDIUM PATCH This Month

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to configure encryption or signing for certain outbound e-mail, and possibly. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Request Tracker
NVD
CVSS 2.0
6.4
EPSS
0.2%
CVE-2012-6578 MEDIUM PATCH This Month

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled with a "Sign by default" queue configuration, uses a queue's key for signing, which might allow remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Request Tracker
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2013-3525 HIGH POC This Week

SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Request Tracker
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
1.5%
CVE-2012-2768 MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the topic administration page in the RTFM extension 2.0.4 through 2.4.3 for Best Practical Solutions RT allow remote attackers to inject. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Request Tracker
NVD
CVSS 2.0
4.3
EPSS
0.4%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.

XSS Request Tracker
NVD
EPSS 0% CVSS 7.2
HIGH This Month

Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Request Tracker
NVD
EPSS 0% CVSS 7.2
HIGH This Month

Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Request Tracker
NVD
EPSS 0% CVSS 7.2
HIGH This Month

Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Request Tracker
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Request Tracker
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Tracker
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Request Tracker
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Open Redirect Request Tracker
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Request Tracker
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Request Tracker Fedora +1
NVD GitHub
EPSS 4% CVSS 8.8
HIGH This Week

The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Request Tracker
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification tokens. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Request Tracker
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for secrets, which makes it easier for remote attackers to obtain. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Request Tracker
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the AlwaysDownloadAttachments config setting is not in use,. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS File Upload Request Tracker
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to inject arbitrary web script or HTML via a crafted public key. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Request Tracker
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker (RT) 4.x before 4.2.12 allow remote attackers to inject arbitrary web script or HTML via vectors related to the (1) user and (2). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Request Tracker
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Fedora Request Tracker
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Debian Linux Fedora +1
NVD
EPSS 1% CVSS 7.1
HIGH This Week

The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Denial Of Service Debian Linux Fedora +1
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Request Tracker
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13 allows remote attackers to inject arbitrary web. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Request Tracker Rt Extension Mobileui
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to bypass intended restrictions on reading keys in the product's keyring, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Privilege Escalation Request Tracker
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ensure that the UI labels unencrypted messages as unencrypted, which might make it easier for. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Request Tracker
NVD
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to configure encryption or signing for certain outbound e-mail, and possibly. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Request Tracker
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled with a "Sign by default" queue configuration, uses a queue's key for signing, which might allow remote. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Request Tracker
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Request Tracker
NVD Exploit-DB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Multiple cross-site scripting (XSS) vulnerabilities in the topic administration page in the RTFM extension 2.0.4 through 2.4.3 for Best Practical Solutions RT allow remote attackers to inject. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Request Tracker
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy