8.8
CVE-2026-41075
- EPSS 0.34%
- Veröffentlicht 22.05.2026 21:17:36
- Zuletzt bearbeitet 26.05.2026 20:03:14
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
RT: SQL injection via entry_aggregator parameter in JSON search
RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing them to read or modify data in the RT database. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by restricting RT account access to trusted users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerbestpractical
≫
Produkt
rt
Version
>= 5.0.0, < 5.0.10
Status
affected
Version
>= 6.0.0, < 6.0.3
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.34% | 0.261 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
https://github.com/bestpractical/rt/releases/tag/rt-5.0.10
https://github.com/bestpractical/rt/releases/tag/rt-6.0.3
https://github.com/bestpractical/rt/security/advisories/GHSA-7vf8-xv7w-97c6