Bestpractical Rt vulnerabilities
43 known vulnerabilities affecting bestpractical/rt.
Total CVEs
43
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM34LOW5
Vulnerabilities
Page 1 of 3
CVE-2026-41076P3HIGHCVSS 8.1fixed in 5.0.10v>= 6.0.0, < 6.0.32026-05-22
CVE-2026-41076 [HIGH] CWE-287 CVE-2026-41076: RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.9 and prior in addition to 6.0.0 through 6.0.2 contain an authentication bypass vulnerability in RT installations that use LDAP/AD for user authentication. Under certain LDAP server configurations, an attacker may be able to authenticate as any LDAP-backed RT user wi
cvelistv5nvd
CVE-2026-41075P3HIGHCVSS 8.8v>= 5.0.0, < 5.0.10v>= 6.0.0, < 6.0.32026-05-22
CVE-2026-41075 [HIGH] CWE-89 CVE-2026-41075: RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue
cvelistv5nvd
CVE-2011-5092P3HIGHCVSS 7.5v3.0.0v3.0.1+81 more2012-06-04
CVE-2011-5092 [HIGH] CVE-2011-5092: Best Practical Solutions RT 3.8.x before 3.8.12 and 4.x before 4.0.6 allows remote attackers to exec
Best Practical Solutions RT 3.8.x before 3.8.12 and 4.x before 4.0.6 allows remote attackers to execute arbitrary code and gain privileges via unspecified vectors, a different vulnerability than CVE-2011-4458 and CVE-2011-5093.
nvd
CVE-2011-4458P3MEDIUMCVSS 6.8v3.6.0v3.6.1+32 more2012-06-04
CVE-2011-4458 [MEDIUM] CWE-94 CVE-2011-4458: Best Practical Solutions RT 3.6.x, 3.7.x, and 3.8.x before 3.8.12 and 4.x before 4.0.6, when the VER
Best Practical Solutions RT 3.6.x, 3.7.x, and 3.8.x before 3.8.12 and 4.x before 4.0.6, when the VERPPrefix and VERPDomain options are enabled, allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2011-5092 and CVE-2011-5093.
nvd
CVE-2013-3370P3MEDIUMCVSS 6.8v4.0.0v4.0.1+28 more2013-08-23
CVE-2013-3370 [MEDIUM] CWE-264 CVE-2013-3370: Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access t
Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback components, which allows remote attackers to have an unspecified impact via a direct request.
nvd
CVE-2011-4460P3MEDIUMCVSS 6.5v2.0.0v2.0.1+98 more2012-06-04
CVE-2011-4460 [MEDIUM] CWE-89 CVE-2011-4460: SQL injection vulnerability in Best Practical Solutions RT 2.x and 3.x before 3.8.12 and 4.x before
SQL injection vulnerability in Best Practical Solutions RT 2.x and 3.x before 3.8.12 and 4.x before 4.0.6 allows remote authenticated users to execute arbitrary SQL commands by leveraging access to a privileged account.
nvd
CVE-2011-5093P3MEDIUMCVSS 6.5v3.8.12v4.0.0+5 more2012-06-04
CVE-2011-5093 [MEDIUM] CVE-2011-5093: Best Practical Solutions RT 4.x before 4.0.6 does not properly implement the DisallowExecuteCode opt
Best Practical Solutions RT 4.x before 4.0.6 does not properly implement the DisallowExecuteCode option, which allows remote authenticated users to bypass intended access restrictions and execute arbitrary code by leveraging access to a privileged account, a different vulnerability than CVE-2011-4458 and CVE-2011-5092.
nvd
CVE-2011-1686P3MEDIUMCVSS 6.5v2.0.0v2.0.1+63 more2011-04-22
CVE-2011-1686 [MEDIUM] CWE-89 CVE-2011-1686: Multiple SQL injection vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 th
Multiple SQL injection vulnerabilities in Best Practical Solutions RT 2.0.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors, as demonstrated by reading data.
nvd
CVE-2026-41074P4HIGHCVSS 7.1v>= 6.0.0, < 6.0.32026-05-22
CVE-2026-41074 [HIGH] CWE-352 CVE-2026-41074: RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. This issue has been fixed in version 6.0.
cvelistv5nvd
CVE-2011-1688P4MEDIUMCVSS 4.3v3.2.0v3.2.1+31 more2011-04-22
CVE-2011-1688 [MEDIUM] CWE-22 CVE-2011-1688: Directory traversal vulnerability in Best Practical Solutions RT 3.2.0 through 3.6.10, 3.8.0 through
Directory traversal vulnerability in Best Practical Solutions RT 3.2.0 through 3.6.10, 3.8.0 through 3.8.9, and 4.0.0rc through 4.0.0rc7 allows remote attackers to read arbitrary files via a crafted HTTP request.
nvd
CVE-2013-3369P4MEDIUMCVSS 6.0v3.8.0v3.8.1+28 more2013-08-23
CVE-2013-3369 [MEDIUM] CVE-2013-3369: Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users w
Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions to view the administration pages to execute arbitrary private components via unspecified vectors.
nvd
CVE-2012-4884P4MEDIUMCVSS 5.0v3.8.0v3.8.1+22 more2012-11-11
CVE-2012-4884 [MEDIUM] CWE-94 CVE-2012-4884: Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8
Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to create arbitrary files via unspecified vectors related to the GnuPG client.
nvd
CVE-2012-4733P4MEDIUMCVSS 6.0v4.0.0v4.0.1+5 more2013-08-23
CVE-2012-4733 [MEDIUM] CWE-255 CVE-2012-4733: Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecy
Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" permission, which allows remote authenticated users with the ModifyTicket permission to delete tickets via unspecified vectors.
nvd
CVE-2011-1690P4MEDIUMCVSS 4.3v3.6.0v3.6.1+18 more2011-04-22
CVE-2011-1690 [MEDIUM] CWE-255 CVE-2011-1690: Best Practical Solutions RT 3.6.0 through 3.6.10 and 3.8.0 through 3.8.8 allows remote attackers to
Best Practical Solutions RT 3.6.0 through 3.6.10 and 3.8.0 through 3.8.8 allows remote attackers to trick users into sending credentials to an arbitrary server via unspecified vectors.
nvd
CVE-2012-4732P4MEDIUMCVSS 6.8v3.8.12v3.8.13+4 more2012-11-11
CVE-2012-4732 [MEDIUM] CWE-352 CVE-2012-4732: Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions be
Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0.6 and other versions before 4.0.8, allows remote attackers to hijack the authentication of users for requests that toggle ticket bookmarks.
nvd
CVE-2025-31500P4MEDIUMCVSS 6.1≥ 5.0.0, < 5.0.82025-05-28
CVE-2025-31500 [MEDIUM] CWE-79 CVE-2025-31500: Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asse
Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name.
nvd
CVE-2013-3373P4MEDIUMCVSS 5.0v4.0.0v4.0.1+28 more2013-08-23
CVE-2013-3373 [MEDIUM] CWE-94 CVE-2013-3373: CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 all
CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a MIME header.
nvd
CVE-2012-4734P4MEDIUMCVSS 5.0v3.8.0v3.8.1+22 more2012-11-11
CVE-2012-4734 [MEDIUM] CWE-264 CVE-2012-4734: Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a
Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" attack to bypass the CSRF warning protection mechanism and cause victims to "modify arbitrary state" via unknown vectors related to a crafted link.
nvd
CVE-2011-2085P4MEDIUMCVSS 6.8≤ 3.8.11v1.0.0+107 more2012-06-04
CVE-2011-2085 [MEDIUM] CWE-352 CVE-2011-2085: Multiple cross-site request forgery (CSRF) vulnerabilities in Best Practical Solutions RT before 3.8
Multiple cross-site request forgery (CSRF) vulnerabilities in Best Practical Solutions RT before 3.8.12 and 4.x before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users.
nvd
CVE-2025-30087P4MEDIUMCVSS 6.1≥ 4.4.0, < 4.4.8≥ 5.0.0, < 5.0.82025-05-28
CVE-2025-30087 [MEDIUM] CWE-79 CVE-2025-30087: Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection
Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.
nvd
1 / 3Next →