SQL Injection Vulnerability in RT Issue and Ticket Tracking System
CVE-2026-41075

8.8HIGH

Key Information:

Vendor

Bestpractical

Status
Rt
Vendor
CVE Published:
22 May 2026

What is CVE-2026-41075?

The RT issue and ticket tracking system has a SQL injection vulnerability affecting versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2. This flaw allows authenticated users to craft malicious input that is embedded within database queries without appropriate validation, enabling unauthorized reading or modification of data within the RT database. Developers are encouraged to upgrade to versions 5.0.10 or 6.0.3 to mitigate this vulnerability. For those unable to upgrade immediately, restricting access to trusted users can serve as a temporary workaround.

Affected Version(s)

rt >= 5.0.0, < 5.0.10 < 5.0.0, 5.0.10

rt >= 6.0.0, < 6.0.3 < 6.0.0, 6.0.3

References

https://github.com/bestpractical/rt/security/advisories/G...
x_refsource_CONFIRM
https://github.com/bestpractical/rt/releases/tag/rt-5.0.10
x_refsource_MISC
https://github.com/bestpractical/rt/releases/tag/rt-6.0.3
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.