CVE-2026-6841 Best Practical CVE debrief

Who should care

Administrators and security teams running Request Tracker 5.0.4-5.0.9 or 6.0.0-6.0.2, especially on shared or internet-facing deployments, and users who may receive RT links from untrusted sources.

Technical summary

This is a CWE-79 reflected XSS condition. The vulnerable Page query parameter is echoed into the response in a way that allows script execution in the context of the logged-in user. Because the attack is delivered through a crafted URL, user interaction is required.

Defensive priority

Medium. The issue requires a victim to open a malicious link, but successful exploitation can run attacker-controlled JavaScript in the Request Tracker origin and affect user sessions or actions within that browser context.

Recommended defensive actions

• Upgrade Request Tracker to 5.0.10 or 6.0.3, as applicable.
• Inventory all RT instances and confirm whether any run versions 5.0.4-5.0.9 or 6.0.0-6.0.2.
• Warn users not to open untrusted RT links and treat shared URLs as potentially malicious until patched.
• Review access logs for unusual use of the Page parameter while planning remediation.
• If you must defer patching, reduce exposure of the interface to untrusted users and apply compensating controls where possible.

Evidence notes

The supplied NVD metadata describes a reflected XSS issue in Request Tracker via the Page GET parameter, with affected ranges 5.0.4-5.0.9 and 6.0.0-6.0.2. The same metadata cites CERT.PL and Best Practical release notes for 5.0.10 and 6.0.3 as references. The CVSS vector indicates network attack, low complexity, and user interaction required, which is consistent with reflected XSS. Vendor identity in the provided corpus is low-confidence, so this debrief uses 'Request Tracker' as the product name and avoids over-claiming the vendor.

Official resources