CVE-2026-41075

EUVD-2026-31505

22.05.2026, 22:16

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users.

SQL Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Debian Releases

Debian Product

Codename

request-tracker4

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable

request-tracker5

bookworm	vulnerable
bookworm (security)	vulnerable
forky	vulnerable
sid	5.0.10+dfsg-1 fixed
trixie	vulnerable
trixie (security)	vulnerable

Common Weakness Enumeration

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

References

https://github.com/bestpractical/rt/releases/tag/rt-5.0.10

https://github.com/bestpractical/rt/releases/tag/rt-6.0.3

https://github.com/bestpractical/rt/security/advisories/GHSA-7vf8-xv7w-97c6