CVE-2026-6841
published 2026-05-21CVE-2026-6841: Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL…
PriorityP427medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.24%
14.3th percentile
Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.
This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| best_practical | request_tracker | >= 5.0.4 < 5.0.10 | 5.0.10 |
| best_practical | request_tracker | >= 6.0.0 < 6.0.3 | 6.0.3 |
| bestpractical | request_tracker | >= 5.0.4 < 5.0.10 | 5.0.10 |
| bestpractical | request_tracker | >= 6.0.0 < 6.0.3 | 6.0.3 |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv4.05.1MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Best Practical Request Tracker up to 5.0.9/6.0.2 GET Request Page cross site scripting
vuldb·2026-05-21·CVSS 5.1
CVE-2026-6841 [MEDIUM] Best Practical Request Tracker up to 5.0.9/6.0.2 GET Request Page cross site scripting
A vulnerability categorized as problematic has been discovered in Best Practical Request Tracker up to 5.0.9/6.0.2. This vulnerability affects unknown code of the component GET Request Handler. The manipulation of the argument Page results in cross site scripting.
This vulnerability is identified as CVE-2026-6841. The attack can be executed remotely. There is not any exploit available.
It is advisable to upgrade the affected component.
GHSA
GHSA-79vr-q653-q96g: Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests
ghsa_unreviewed·2026-05-21
CVE-2026-6841 [MEDIUM] CWE-79 GHSA-79vr-q653-q96g: Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests
Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.
This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-6841 rt: reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests [fedora-all]
bugzilla·2026-06-02·CVSS 5.1
CVE-2026-6841 [MEDIUM] CVE-2026-6841 rt: reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests [fedora-all]
CVE-2026-6841 rt: reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6841 rt: reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests
bugzilla·2026-05-21·CVSS 5.1
CVE-2026-6841 [MEDIUM] CVE-2026-6841 rt: reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests
CVE-2026-6841 rt: reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests
Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.
This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
2026-05-21
Published