7.1
CVE-2026-41074
- EPSS 0.12%
- Veröffentlicht 22.05.2026 21:12:41
- Zuletzt bearbeitet 26.05.2026 20:03:14
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
RT has broken CSRF protection for authenticated users
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery (CSRF) vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that user's behalf. This issue has been fixed in version 6.0.3.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerbestpractical
≫
Produkt
rt
Version
>= 6.0.0, < 6.0.3
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.12% | 0.019 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 7.1 | 2.8 | 4.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
https://github.com/bestpractical/rt/releases/tag/rt-6.0.3
https://github.com/bestpractical/rt/security/advisories/GHSA-265j-qx4w-256j