CVE-2025-9158

The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization.XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the ticket in the context of the logged-in user. 

This vulnerability affects versions from 5.0.4 through 5.0.8 and from 6.0.0 through 6.0.1.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
CERT-PLCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
Debian logo
Debian Releases
Debian Product
Codename
request-tracker5
bookworm
5.0.3+dfsg-3~deb12u3
not-affected
bookworm (security)
5.0.3+dfsg-3~deb12u4
fixed
trixie
vulnerable
trixie (security)
5.0.7+dfsg-4+deb13u1
fixed
forky
5.0.7+dfsg-6
fixed
sid
5.0.7+dfsg-6
fixed
Common Weakness Enumeration
References
https://cert.pl/en/posts/2025/10/CVE-2025-9158/
https://requesttracker.com/request-tracker/