CVE-2026-6841

MEDIUM

Reflected XSS in Request Tracker

Title source: cna
STIX 2.1

Description

Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.

References (4)

Core 4
Core References
Third Party Advisory third-party-advisory
https://cert.pl/en/posts/2026/05/CVE-2026-6841

Scores

CVSS v3 6.1
EPSS 0.0024
EPSS Percentile 14.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (3)
Best Practical/Request Tracker 5.0.4 - 5.0.10
Best Practical/Request Tracker 6.0.0 - 6.0.3
bestpractical/request_tracker 5.0.4 - 5.0.10
Published May 21, 2026
Tracked Since May 21, 2026