Request Tracker vulnerabilities
Summary
Aleksander Iwicki discovered that Request Tracker did not properly sanitize the search "Page" URL parameter. A remote attacker could possibly use this issue to conduct a reflected cross-site scripting attack. (CVE-2026-6841) It was discovered that Request Tracker did not properly sanitize user- controlled data written to spreadsheet exports of search results. A remote attacker could possibly use this issue to conduct a spreadsheet (CSV/formula) injection attack, causing spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. (CVE-2026-41073) It was discovered that Request Tracker did not properly validate input incorporated into database queries via the entry_aggregator parameter in JSON search. An authenticated user could possibly use this issue to perform SQL injection attacks and read or modify data in the RT database. (CVE-2026-41075) It was discovered that Request Tracker contained an authentication bypass when configured to authenticate users against an LDAP or Active Directory server. Under certain LDAP server configurations, a remote attacker could possibly use this issue to authenticate as any LDAP-backed RT user without supplying valid credentials. (CVE-2026-41076) It was discovered that Request Tracker served certain uploaded content inline rather than as an attachment. A remote attacker could possibly use this issue to con Affected Ubuntu releases: 26.04, 24.04, 22.04. CVEs: CVE-2026-44231, CVE-2026-44230, CVE-2026-6841, CVE-2026-44229, CVE-2026-41075, CVE-2026-41073, CVE-2026-41076.
- Ubuntu 26.04
- Ubuntu 24.04
- Ubuntu 22.04
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Apply available updates: `sudo apt update && sudo apt upgrade` (a standard system update installs the fix).
Official advisory · medium-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.