CVE-2026-41075
published 2026-05-22CVE-2026-41075: RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection…
PriorityP356high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.34%
26.3th percentile
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bestpractical | rt | — | — |
| bestpractical | rt | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvelistv5v3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
bestpractical rt up to 5.0.9/6.0.2 sql injection (GHSA-7vf8-xv7w-97c6)
vuldb·2026-05-23
CVE-2026-41075 [CRITICAL] bestpractical rt up to 5.0.9/6.0.2 sql injection (GHSA-7vf8-xv7w-97c6)
A vulnerability was found in bestpractical rt up to 5.0.9/6.0.2 and classified as critical. Affected by this issue is some unknown functionality. Executing a manipulation can lead to sql injection.
This vulnerability appears as CVE-2026-41075. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
CVEList
RT: SQL injection via entry_aggregator parameter in JSON search
cvelistv5·2026-05-22·CVSS 8.8
CVE-2026-41075 [HIGH] CWE-89 RT: SQL injection via entry_aggregator parameter in JSON search
RT: SQL injection via entry_aggregator parameter in JSON search
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-41075 rt: RT: SQL Injection Vulnerability Allows Authenticated Data Access [fedora-all]
bugzilla·2026-05-29·CVSS 8.8
CVE-2026-41075 [HIGH] CVE-2026-41075 rt: RT: SQL Injection Vulnerability Allows Authenticated Data Access [fedora-all]
CVE-2026-41075 rt: RT: SQL Injection Vulnerability Allows Authenticated Data Access [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-41075 rt: RT: SQL Injection Vulnerability Allows Authenticated Data Access
bugzilla·2026-05-22·CVSS 8.8
CVE-2026-41075 [HIGH] CVE-2026-41075 rt: RT: SQL Injection Vulnerability Allows Authenticated Data Access
CVE-2026-41075 rt: RT: SQL Injection Vulnerability Allows Authenticated Data Access
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users.
2026-05-22
Published