Bestpractical Rt
41 CVEs affecting Bestpractical Rt. Latest disclosed: 2026-05-22. Critical: 0, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-41075 | High | 8.8 | 2026-05-22 | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerab… |
CVE-2026-41076 | High | 8.1 | 2026-05-22 | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication… |
CVE-2025-31501 | High | 7.2 | 2025-05-28 | Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink. |
CVE-2025-31500 | High | 7.2 | 2025-05-28 | Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name. |
CVE-2025-30087 | High | 7.2 | 2025-05-28 | Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL. |
CVE-2026-41074 | High | 7.1 | 2026-05-22 | RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability… |
CVE-2026-41073 | Medium | 4.6 | 2026-05-22 | RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) i… |
CVE-2014-1474 | | 2014-07-15 | Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remote attackers to cause a denial of servi… | |
CVE-2013-5587 | | 2013-08-23 | Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.13, when MakeClicky is configured, allows remote attackers to inject arbitrary… | |
CVE-2013-3374 | | 2013-08-23 | Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Session::File session store, allows remot… | |
CVE-2013-3373 | | 2013-08-23 | CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and c… | |
CVE-2013-3372 | | 2013-08-23 | Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject multiple Content-Disposition HTTP headers and possibly condu… | |
CVE-2013-3371 | | 2013-08-23 | Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 3.8.3 through 3.8.16 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary web s… | |
CVE-2013-3370 | | 2013-08-23 | Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback components, which allows remote attacker… | |
CVE-2013-3369 | | 2013-08-23 | Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions to view the administration pages to exe… | |
CVE-2013-3368 | | 2013-08-23 | bin/rt in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows local users to overwrite arbitrary files via a symlink attack on a temporary… | |
CVE-2012-4733 | | 2013-08-23 | Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" permission, which allows remote authenticat… | |
CVE-2012-4884 | | 2012-11-11 | Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to create arbitrary files via unspe… | |
CVE-2012-4734 | | 2012-11-11 | Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" attack to bypass the CSRF warning protec… | |
CVE-2012-4732 | | 2012-11-11 | Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0.6 and other versions before 4.0.8, all… |