CVE-2026-41076 is a high-severity authentication bypass vulnerability affecting RT (Request Tracker), an open-source enterprise issue and ticket tracking system. The vulnerability exists in RT versions 5.0.9 and prior, as well as versions 6.0.0 through 6.0.2, specifically in deployments configured to use LDAP or Active Directory for user authentication. Under certain LDAP server configurations, an attacke [truncated]
RT (Request Tracker) versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an authenticated SQL injection vulnerability. An attacker with valid credentials can supply crafted input that is incorporated into database queries without proper sanitization, potentially enabling unauthorized read or modification of data within the RT database. The vulnerability was disclosed on May 22, 2026, with a subse [truncated]
CVE-2026-41074 is a Cross-Site Request Forgery (CSRF) vulnerability in RT (Request Tracker), an open-source enterprise-grade issue and ticket tracking system. The vulnerability affects versions 6.0.0 through 6.0.2 and was assigned a CVSS 3.1 score of 7.1 (HIGH severity). The issue was published on 2026-05-22 and last modified on 2026-05-26. An attacker who can induce a logged-in RT user to visit a malicio [truncated]
CVE-2026-41073 is a spreadsheet formula injection vulnerability in RT (Request Tracker), an open-source enterprise issue and ticket tracking system. The vulnerability exists because user-controlled data in spreadsheet exports is not sanitized before being written to output files, allowing crafted values to be interpreted as formulas or macros when opened in spreadsheet applications. This affects versions [truncated]
