CVE-2026-6841 MEDIUM

CVE-2026-6841: Reflected XSS in Request Tracker

Vendor Best Practical
Product Request Tracker
Weakness CWE-79 · XSS
Published May 21, 2026
Last update May 21, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser. This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.

Key dates

02Disclosure timeline

May 21, 2026 CVE published
May 21, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-7332 LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter CVE-2025-9003 D-Link DIR-818LW DHCP Reserved Address bsc_lan.php cross site scripting CVE-2025-63032 WordPress Consulting theme <= 1.5.0 - Cross Site Scripting (XSS) vulnerability CVE-2023-28429 Pimcore has Cross-site Scripting vulnerability in DataObject tooltip field CVE-2025-25169 WordPress Authors Autocomplete Meta Box plugin <= 1.2 - Reflected Cross Site Scripting (XSS) vulnerability