Bestpractical Request Tracker — known CVE vulnerabilities
Every CVE whose affected-product data names Bestpractical Request Tracker, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (27)
CVE-2017-5944 — CVSS 8.8 (high): The dashboard subscription interface in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 might allow…
CVE-2017-5943 — CVSS 8.8 (high): Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 allows remote attackers to obtain sensitive information…
CVE-2013-3525 — CVSS 7.5 (high): SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL…
CVE-2023-41259 — CVSS 7.5 (high): Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Disclosure via fake or spoofed RT email headers in…
CVE-2021-38562 — CVSS 7.5 (high): Best Practical Request Tracker (RT) 4.2 before 4.2.17, 4.4 before 4.4.5, and 5.0 before 5.0.2 allows sensitive information disclosure via a…
CVE-2023-45024 — CVSS 7.5 (high): Best Practical Request Tracker (RT) 5 before 5.0.5 allows Information Disclosure via a transaction search in the transaction query builder.
CVE-2018-18898 — CVSS 7.5 (high): The email-ingestion feature in Best Practical Request Tracker 4.1.13 through 4.4 allows denial of service by remote attackers via an…
CVE-2023-41260 — CVSS 7.5 (high): Best Practical Request Tracker (RT) before 4.4.7 and 5.x before 5.0.5 allows Information Exposure in responses to mail-gateway REST API…
CVE-2025-31501 — CVSS 7.2 (high): Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an RT permalink.
CVE-2025-31500 — CVSS 7.2 (high): Best Practical RT (Request Tracker) 5.0 through 5.0.7 allows XSS via JavaScript injection in an Asset name.
CVE-2025-30087 — CVSS 7.2 (high): Best Practical RT (Request Tracker) 4.4 through 4.4.7 and 5.0 through 5.0.7 allows XSS via injection of crafted parameters in a search URL.
CVE-2014-9472 — CVSS 7.1 (high): The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a…
CVE-2015-1464 — CVSS 6.4 (medium): RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.
CVE-2012-6579 — CVSS 6.4 (medium): Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to configure…
CVE-2016-6127 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2, when the…
CVE-2022-25802 — CVSS 6.1 (medium): Best Practical Request Tracker (RT) before 4.4.6 and 5.x before 5.0.3 allows XSS via a crafted content type for an attachment.
CVE-2026-6841 — CVSS 6.1 (medium): Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker…
CVE-2017-5361 — CVSS 5.9 (medium): Request Tracker (RT) 4.x before 4.0.25, 4.2.x before 4.2.14, and 4.4.x before 4.4.2 does not use a constant-time comparison algorithm for…
CVE-2013-3737 — CVSS 5.0 (medium): The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based…
CVE-2015-1165 — CVSS 5.0 (medium): RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs…
CVE-2015-5475 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in Request Tracker (RT) 4.x before 4.2.12 allow remote attackers to inject arbitrary…
CVE-2013-3736 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0…
CVE-2012-6581 — CVSS 4.3 (medium): Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, allows remote attackers to bypass intended…
CVE-2012-6578 — CVSS 4.3 (medium): Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled with a "Sign by default" queue configuration…
CVE-2012-6580 — CVSS 4.3 (medium): Best Practical Solutions RT 3.8.x before 3.8.15 and 4.0.x before 4.0.8, when GnuPG is enabled, does not ensure that the UI labels…
CVE-2015-6506 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the cryptography interface in Request Tracker (RT) before 4.2.12 allows remote attackers to…