Request tracker
This hub aggregates every CVE we track for Request tracker, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.
32
CVEs tracked
0
Critical
12
High
0
In CISA KEV
Severity distribution
MEDIUM19HIGH12LOW1
Monthly trend
0
0
0
0
0
0
0
0
0
0
3
0
0
0
0
0
0
0
1
0
0
0
1
0
2024-072026-06
Latest CVEs
The 15 most recently published vulnerabilities affecting Request tracker.
- CVE-2026-6841Reflected XSS in Request Tracker6.1
- CVE-2025-61873Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.2.6
- CVE-2025-31500Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name.7.2
- CVE-2025-31501Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.7.2
- CVE-2025-30087Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.7.2
- CVE-2024-3262Information exposure vulnerability in Request Tracker (RT)5.5
- CVE-2023-45024Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder.7.5
- CVE-2023-41260Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API calls.7.5
- CVE-2023-41259Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in an email message or a mail-gateway REST API call.7.5
- CVE-2022-25803Best Practical Request Tracker (RT) before 5.0.3 has an Open Redirect via a ticket search.6.1
- CVE-2022-25802Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment.6.1
- CVE-2021-38562Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a timing attack against lib/RT/REST2/Middleware/Auth.pm.7.5
- CVE-2018-18898The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an algorithmic complexity attack on email address parsing.7.5
- CVE-2017-5944The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow remote authenticated users with certain privileges to execute...8.8
- CVE-2017-5943Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information about cross-site request forgery (CSRF) verification toke...8.8
Product normalization is registry-driven with AI assist and human review. How it works