Skip to main content

Rt

18 CVEs product

Monthly

CVE-2026-41076 HIGH PATCH This Week

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows remote attackers to log in as any LDAP-backed user without valid credentials when RT is configured with LDAP or Active Directory authentication and the LDAP server accepts unauthenticated bind requests. The flaw, fixed in RT 5.0.10 and 6.0.3 released 2026-05-20, carries a CVSS 8.1 and has no public exploit identified at time of analysis, but the trivial nature of the bypass against vulnerable LDAP policies makes it high-priority for any RT deployment using directory-based auth.

Authentication Bypass Rt
NVD GitHub
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-41075 HIGH PATCH This Week

Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6.0.0-6.0.2 via the entry_aggregator parameter in the JSON search endpoint, allowing any logged-in RT user to read or modify arbitrary data in the underlying database. The flaw was disclosed alongside the rt-5.0.10/6.0.3 release on 2026-05-20 and carries CVSS 8.8 due to high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi Rt
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-41074 HIGH This Week

Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers to perform arbitrary state-changing actions on behalf of an authenticated RT user who is lured to a malicious web page. The flaw carries a CVSS 7.1 (high integrity impact) and has been addressed in RT 6.0.3 released 2026-05-20, but no public exploit identified at time of analysis and the CVE is not present in CISA KEV.

CSRF Rt
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41073 MEDIUM PATCH This Month

Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to embed malicious formulas in ticket fields that execute when an administrator or staff member exports data to CSV and opens the file in a spreadsheet application. Affected versions span the entire RT 5.0 line prior to 5.0.10 and RT 6.0.0 through 6.0.2. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, but the attack surface is broad given that CSV exports are a routine administrative workflow in ticketing systems.

Code Injection Rt
NVD GitHub
CVSS 3.1
4.6
EPSS
0.0%
CVE-2014-1474 MEDIUM PATCH This Month

Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Rt
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2013-5587 LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.

XSS Rt
NVD
CVSS 2.0
2.6
EPSS
0.4%
CVE-2013-3374 MEDIUM PATCH This Month

Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Session::File session store, allows remote attackers to obtain sensitive. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache Information Disclosure Rt
NVD
CVSS 2.0
4.3
EPSS
0.6%
CVE-2013-3373 MEDIUM PATCH This Month

CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection RCE Rt
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2013-3372 MEDIUM PATCH This Month

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting (XSS) attacks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rt
NVD
CVSS 2.0
4.3
EPSS
0.5%
CVE-2013-3371 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 3.8.3 through 3.8.16 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the filename of an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rt
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2013-3370 MEDIUM PATCH This Month

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback components, which allows remote attackers to have an unspecified impact via a. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

Privilege Escalation Rt
NVD
CVSS 2.0
6.8
EPSS
1.1%
CVE-2013-3369 MEDIUM PATCH This Month

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions to view the administration pages to execute arbitrary private components via. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable.

Information Disclosure Rt
NVD
CVSS 2.0
6.0
EPSS
0.6%
CVE-2013-3368 LOW PATCH Monitor

bin/rt in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with predictable name. Rated low severity (CVSS 3.3).

Information Disclosure Rt
NVD
CVSS 2.0
3.3
EPSS
0.0%
CVE-2012-4733 MEDIUM PATCH This Month

Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" permission, which allows remote authenticated users with the ModifyTicket. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable.

Authentication Bypass Rt
NVD
CVSS 2.0
6.0
EPSS
0.6%
CVE-2012-4884 MEDIUM This Month

Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to create arbitrary files via unspecified vectors related to the GnuPG. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Rt
NVD
CVSS 2.0
5.0
EPSS
0.2%
CVE-2012-4734 MEDIUM This Month

Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" attack to bypass the CSRF warning protection mechanism and cause victims to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Privilege Escalation Rt
NVD
CVSS 2.0
5.0
EPSS
0.2%
CVE-2012-4732 MEDIUM PATCH This Month

Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0.6 and other versions before 4.0.8, allows remote attackers to hijack the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

CSRF Rt
NVD
CVSS 2.0
6.8
EPSS
0.1%
CVE-2012-4730 LOW Monitor

Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote authenticated users with ModifySelf or AdminUser privileges to inject arbitrary email headers and conduct phishing. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Rt
NVD
CVSS 2.0
3.5
EPSS
0.2%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows remote attackers to log in as any LDAP-backed user without valid credentials when RT is configured with LDAP or Active Directory authentication and the LDAP server accepts unauthenticated bind requests. The flaw, fixed in RT 5.0.10 and 6.0.3 released 2026-05-20, carries a CVSS 8.1 and has no public exploit identified at time of analysis, but the trivial nature of the bypass against vulnerable LDAP policies makes it high-priority for any RT deployment using directory-based auth.

Authentication Bypass Rt
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6.0.0-6.0.2 via the entry_aggregator parameter in the JSON search endpoint, allowing any logged-in RT user to read or modify arbitrary data in the underlying database. The flaw was disclosed alongside the rt-5.0.10/6.0.3 release on 2026-05-20 and carries CVSS 8.8 due to high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

SQLi Rt
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers to perform arbitrary state-changing actions on behalf of an authenticated RT user who is lured to a malicious web page. The flaw carries a CVSS 7.1 (high integrity impact) and has been addressed in RT 6.0.3 released 2026-05-20, but no public exploit identified at time of analysis and the CVE is not present in CISA KEV.

CSRF Rt
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to embed malicious formulas in ticket fields that execute when an administrator or staff member exports data to CSV and opens the file in a spreadsheet application. Affected versions span the entire RT 5.0 line prior to 5.0.10 and RT 6.0.0 through 6.0.2. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, but the attack surface is broad given that CSV exports are a routine administrative workflow in ticketing systems.

Code Injection Rt
NVD GitHub
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Rt
NVD
EPSS 0% CVSS 2.6
LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary web script or HTML via a URL in a. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.

XSS Rt
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Session::File session store, allows remote attackers to obtain sensitive. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Apache Information Disclosure Rt
NVD
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Code Injection vulnerability could allow attackers to inject and execute arbitrary code within the application.

Code Injection RCE Rt
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting (XSS) attacks. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rt
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 3.8.3 through 3.8.16 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the filename of an. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Rt
NVD
EPSS 1% CVSS 6.8
MEDIUM PATCH This Month

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback components, which allows remote attackers to have an unspecified impact via a. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

Privilege Escalation Rt
NVD
EPSS 1% CVSS 6.0
MEDIUM PATCH This Month

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions to view the administration pages to execute arbitrary private components via. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable.

Information Disclosure Rt
NVD
EPSS 0% CVSS 3.3
LOW PATCH Monitor

bin/rt in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with predictable name. Rated low severity (CVSS 3.3).

Information Disclosure Rt
NVD
EPSS 1% CVSS 6.0
MEDIUM PATCH This Month

Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" permission, which allows remote authenticated users with the ModifyTicket. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable.

Authentication Bypass Rt
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to create arbitrary files via unspecified vectors related to the GnuPG. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection RCE Rt
NVD
EPSS 0% CVSS 5.0
MEDIUM This Month

Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" attack to bypass the CSRF warning protection mechanism and cause victims to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

CSRF Privilege Escalation Rt
NVD
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0.6 and other versions before 4.0.8, allows remote attackers to hijack the. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

CSRF Rt
NVD
EPSS 0% CVSS 3.5
LOW Monitor

Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote authenticated users with ModifySelf or AdminUser privileges to inject arbitrary email headers and conduct phishing. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. No vendor patch available.

Privilege Escalation Rt
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy