Stored XSS Vulnerability in Request Tracker Software by Best Practical Solutions
CVE-2025-9158

5.3MEDIUM

Key Information:

Vendor: Best Practical
Status: Request Tracker
Vendor: CVE Published:; 24 October 2025

🔔 Create Best Practical Vulnerability Alert

What is CVE-2025-9158?

The Request Tracker software contains a vulnerability in its calendar invitation parsing feature, which fails to properly sanitize HTML content. This oversight allows an attacker to exploit the flaw by sending a specially crafted email that triggers the execution of malicious JavaScript code within the browser of a logged-in user. By displaying untrusted invitation data, the security of affected users can be compromised, putting sensitive information at risk.

Affected Version(s)

Request Tracker 5.0.4 <= 5.0.8

Request Tracker 6.0.0 <= 6.0.1

References

https://cert.pl/en/posts/2025/10/CVE-2025-9158/

third-party-advisory

https://requesttracker.com/request-tracker/

product

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 24, 2025
Vulnerability Reserved
Aug 19, 2025

Credit

Mateusz Szymaniec (CERT Polska)

CVE-2025-9158 Data

JSON