CVE-2026-6841

UNKNOWN 0.0

Reflected XSS in Request Tracker

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.

CWE	CWE-79
Vendor	best practical
Product	request tracker
Published	May 21, 2026
Last Updated	May 21, 2026

Stay Ahead of the Next One

Get instant alerts for best practical request tracker

Be the first to know when new unknown vulnerabilities affecting best practical request tracker are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Best Practical / Request Tracker

5.0.4 < 5.0.10 6.0.0 < 6.0.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/en/posts/2026/05/CVE-2026-6841 requesttracker.com: https://requesttracker.com/request-tracker/ docs.bestpractical.com: https://docs.bestpractical.com/release-notes/rt/5.0.10 docs.bestpractical.com: https://docs.bestpractical.com/release-notes/rt/6.0.3

Credits

Aleksander Iwicki (CERT Polska)