Rt

This hub aggregates every CVE we track for Rt, a product in the enterprise software space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Rt.

• CVE-2026-41076RT: LDAP authentication bypass via empty password8.1May 22, 2026
• CVE-2026-41075RT: SQL injection via entry_aggregator parameter in JSON search8.8May 22, 2026
• CVE-2026-41074RT has broken CSRF protection for authenticated users7.1May 22, 2026
• CVE-2026-41073RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps4.6May 22, 2026
• CVE-2025-31500Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name.7.2May 28, 2025
• CVE-2025-31501Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.7.2May 28, 2025
• CVE-2025-30087Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.7.2May 28, 2025
• CVE-2014-1474Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of service (CPU consumption) via a string with...5.0Jul 15, 2014
• CVE-2013-3370Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback components, which allows remote attackers to have an unspecified impact via a ...6.8Aug 23, 2013
• CVE-2013-3369Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions to view the administration pages to execute arbitrary private components via ...6.0Aug 23, 2013
• CVE-2013-3374Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Session::File session store, allows remote attackers to obtain sensitive inform...4.3Aug 23, 2013
• CVE-2013-3368bin/rt in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with predictable name.3.3Aug 23, 2013
• CVE-2013-3371Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 3.8.3 through 3.8.16 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary web script or HTML via the filename of an a...4.3Aug 23, 2013
• CVE-2013-3372Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly conduct cross-site scripting (XSS) attacks ...4.3Aug 23, 2013
• CVE-2013-3373CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks...5.0Aug 23, 2013