Search criteria
4 vulnerabilities found for Request Tracker by Best Practical
CVE-2026-6841 (GCVE-0-2026-6841)
Vulnerability from nvd – Published: 2026-05-21 11:49 – Updated: 2026-05-21 12:45 X_Open Source
VLAI
Title
Reflected XSS in Request Tracker
Summary
Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.
This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2026/05/CVE-2026-6841 | third-party-advisory |
| https://requesttracker.com/request-tracker/ | product |
| https://docs.bestpractical.com/release-notes/rt/5.0.10 | release-notes |
| https://docs.bestpractical.com/release-notes/rt/6.0.3 | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Best Practical | Request Tracker |
Affected:
5.0.4 , < 5.0.10
(semver)
Affected: 6.0.0 , < 6.0.3 (semver) |
Date Public
2026-05-21 10:38
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T12:42:30.866693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:45:14.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Request Tracker",
"repo": "https://github.com/bestpractical/rt",
"vendor": "Best Practical",
"versions": [
{
"lessThan": "5.0.10",
"status": "affected",
"version": "5.0.4",
"versionType": "semver"
},
{
"lessThan": "6.0.3",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aleksander Iwicki (CERT Polska)"
}
],
"datePublic": "2026-05-21T10:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the \"Page\" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim\u2019s browser.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThis vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to\u0026nbsp;6.0.2.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the \"Page\" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim\u2019s browser.\n\nThis vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to\u00a06.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T11:49:07.533Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2026/05/CVE-2026-6841"
},
{
"tags": [
"product"
],
"url": "https://requesttracker.com/request-tracker/"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.10"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.bestpractical.com/release-notes/rt/6.0.3"
}
],
"source": {
"discovery": "INTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Reflected XSS in Request Tracker",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-6841",
"datePublished": "2026-05-21T11:49:07.533Z",
"dateReserved": "2026-04-22T07:09:40.481Z",
"dateUpdated": "2026-05-21T12:45:14.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9158 (GCVE-0-2025-9158)
Vulnerability from nvd – Published: 2025-10-24 06:00 – Updated: 2025-10-24 16:55
VLAI
Title
Stored XSS in Request Tracker
Summary
The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization. XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the ticket in the context of the logged-in user.
This vulnerability affects versions from 5.0.4 through 5.0.8 and from 6.0.0 through 6.0.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2025/10/CVE-2025-9158/ | third-party-advisory |
| https://requesttracker.com/request-tracker/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Best Practical | Request Tracker |
Affected:
5.0.4 , ≤ 5.0.8
(custom)
Affected: 6.0.0 , ≤ 6.0.1 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T16:54:43.479695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T16:55:03.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Request Tracker",
"vendor": "Best Practical",
"versions": [
{
"lessThanOrEqual": "5.0.8",
"status": "affected",
"version": "5.0.4",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.0.1",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mateusz Szymaniec (CERT Polska)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization.\u0026nbsp;\u003cspan style=\"background-color: rgba(214, 214, 214, 0.04);\"\u003eXSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the ticket in the context of the logged-in user. \u003cbr\u003e\u003cbr\u003eThis vulnerability affects versions from 5.0.4 \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethrough\u003c/span\u003e 5.0.8 and from 6.0.0 \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethrough\u003c/span\u003e 6.0.1.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization.\u00a0XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the ticket in the context of the logged-in user. \n\nThis vulnerability affects versions from 5.0.4 through 5.0.8 and from 6.0.0 through 6.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T06:00:10.918Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/10/CVE-2025-9158/"
},
{
"tags": [
"product"
],
"url": "https://requesttracker.com/request-tracker/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Request Tracker",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-9158",
"datePublished": "2025-10-24T06:00:10.918Z",
"dateReserved": "2025-08-19T09:42:07.655Z",
"dateUpdated": "2025-10-24T16:55:03.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-6841 (GCVE-0-2026-6841)
Vulnerability from cvelistv5 – Published: 2026-05-21 11:49 – Updated: 2026-05-21 12:45 X_Open Source
VLAI
Title
Reflected XSS in Request Tracker
Summary
Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the "Page" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim’s browser.
This vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to 6.0.2.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2026/05/CVE-2026-6841 | third-party-advisory |
| https://requesttracker.com/request-tracker/ | product |
| https://docs.bestpractical.com/release-notes/rt/5.0.10 | release-notes |
| https://docs.bestpractical.com/release-notes/rt/6.0.3 | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Best Practical | Request Tracker |
Affected:
5.0.4 , < 5.0.10
(semver)
Affected: 6.0.0 , < 6.0.3 (semver) |
Date Public
2026-05-21 10:38
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6841",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-21T12:42:30.866693Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T12:45:14.647Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Request Tracker",
"repo": "https://github.com/bestpractical/rt",
"vendor": "Best Practical",
"versions": [
{
"lessThan": "5.0.10",
"status": "affected",
"version": "5.0.4",
"versionType": "semver"
},
{
"lessThan": "6.0.3",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Aleksander Iwicki (CERT Polska)"
}
],
"datePublic": "2026-05-21T10:38:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the \"Page\" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim\u2019s browser.\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(252, 252, 252);\"\u003eThis vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to\u0026nbsp;6.0.2.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "Request Tracker is vulnerable to a reflected cross-site scripting (XSS) vulnerability via the \"Page\" parameter in GET requests. An attacker can craft a URL that, when opened, results in arbitrary JavaScript execution in the victim\u2019s browser.\n\nThis vulnerability affects versions from 5.0.4 up to 5.0.9 and from 6.0.0 up to\u00a06.0.2."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-21T11:49:07.533Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2026/05/CVE-2026-6841"
},
{
"tags": [
"product"
],
"url": "https://requesttracker.com/request-tracker/"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.bestpractical.com/release-notes/rt/5.0.10"
},
{
"tags": [
"release-notes"
],
"url": "https://docs.bestpractical.com/release-notes/rt/6.0.3"
}
],
"source": {
"discovery": "INTERNAL"
},
"tags": [
"x_open-source"
],
"title": "Reflected XSS in Request Tracker",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2026-6841",
"datePublished": "2026-05-21T11:49:07.533Z",
"dateReserved": "2026-04-22T07:09:40.481Z",
"dateUpdated": "2026-05-21T12:45:14.647Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-9158 (GCVE-0-2025-9158)
Vulnerability from cvelistv5 – Published: 2025-10-24 06:00 – Updated: 2025-10-24 16:55
VLAI
Title
Stored XSS in Request Tracker
Summary
The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization. XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the ticket in the context of the logged-in user.
This vulnerability affects versions from 5.0.4 through 5.0.8 and from 6.0.0 through 6.0.1.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2025/10/CVE-2025-9158/ | third-party-advisory |
| https://requesttracker.com/request-tracker/ | product |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Best Practical | Request Tracker |
Affected:
5.0.4 , ≤ 5.0.8
(custom)
Affected: 6.0.0 , ≤ 6.0.1 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-9158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-24T16:54:43.479695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T16:55:03.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Request Tracker",
"vendor": "Best Practical",
"versions": [
{
"lessThanOrEqual": "5.0.8",
"status": "affected",
"version": "5.0.4",
"versionType": "custom"
},
{
"lessThanOrEqual": "6.0.1",
"status": "affected",
"version": "6.0.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mateusz Szymaniec (CERT Polska)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization.\u0026nbsp;\u003cspan style=\"background-color: rgba(214, 214, 214, 0.04);\"\u003eXSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the ticket in the context of the logged-in user. \u003cbr\u003e\u003cbr\u003eThis vulnerability affects versions from 5.0.4 \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethrough\u003c/span\u003e 5.0.8 and from 6.0.0 \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethrough\u003c/span\u003e 6.0.1.\u003c/span\u003e\u003cbr\u003e"
}
],
"value": "The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization.\u00a0XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the ticket in the context of the logged-in user. \n\nThis vulnerability affects versions from 5.0.4 through 5.0.8 and from 6.0.0 through 6.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-24T06:00:10.918Z",
"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"shortName": "CERT-PL"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://cert.pl/en/posts/2025/10/CVE-2025-9158/"
},
{
"tags": [
"product"
],
"url": "https://requesttracker.com/request-tracker/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Stored XSS in Request Tracker",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
"assignerShortName": "CERT-PL",
"cveId": "CVE-2025-9158",
"datePublished": "2025-10-24T06:00:10.918Z",
"dateReserved": "2025-08-19T09:42:07.655Z",
"dateUpdated": "2025-10-24T16:55:03.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}