CVE-2026-6841

NameCVE-2026-6841
DescriptionRequest Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-6324-1, DSA-6327-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
request-tracker4 (PTS)bullseye4.4.4+dfsg-2+deb11u3vulnerable
bullseye (security)4.4.4+dfsg-2+deb11u5vulnerable
bookworm4.4.6+dfsg-1.1+deb12u3vulnerable
bookworm (security)4.4.6+dfsg-1.1+deb12u4fixed
request-tracker5 (PTS)bookworm5.0.3+dfsg-3~deb12u5vulnerable
bookworm (security)5.0.3+dfsg-3~deb12u6fixed
trixie5.0.7+dfsg-4+deb13u2vulnerable
trixie (security)5.0.7+dfsg-4+deb13u3fixed
forky, sid5.0.10+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
request-tracker4sourcebookworm4.4.6+dfsg-1.1+deb12u4DSA-6327-1
request-tracker4source(unstable)(unfixed)
request-tracker5sourcebookworm5.0.3+dfsg-3~deb12u6DSA-6324-1
request-tracker5sourcetrixie5.0.7+dfsg-4+deb13u3DSA-6324-1
request-tracker5source(unstable)5.0.10+dfsg-1

Notes

https://github.com/bestpractical/rt/releases/tag/rt-5.0.10
Fixed by: https://github.com/bestpractical/rt/commit/d7abb692a5ab7a7738a08be3debb92b1c6ab8215 (rt-5.0.10)
Search for package or bug name: Reporting problems