CVE-2026-6841
Severity CVSS v4.0:
MEDIUM
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
21/05/2026
Last modified:
01/06/2026
Description
Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.<br />
<br />
This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
Impact
Base Score 4.0
5.10
Severity 4.0
MEDIUM
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:* | 5.0.4 (including) | 5.0.10 (excluding) |
| cpe:2.3:a:bestpractical:request_tracker:*:*:*:*:*:*:*:* | 6.0.0 (including) | 6.0.3 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



