QwikSec

Security Database

CVE

CWE

Training

CVE-2026-6841

Published: May 21, 2026

Modified: May 21, 2026

PUBLISHED

Description

Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.

Vendor	Product	Versions
Best Practical	Request Tracker	affected `5.0.4 - < 5.0.10` affected `6.0.0 - < 6.0.3`

Weaknesses (CWE)

References

https://cert.pl/en/posts/2026/05/CVE-2026-6841

third-party-advisory

https://requesttracker.com/request-tracker/

product

https://docs.bestpractical.com/release-notes/rt/5.0.10

release-notes

https://docs.bestpractical.com/release-notes/rt/6.0.3

release-notes

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.