Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy Bezpieczny telefon
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerability in Request Tracker software
24 October 2025 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2025-9158
Publication date 24 October 2025
Vendor Best Practical
Product Request Tracker
Vulnerable versions From 5.0.4 through 5.0.8 and from 6.0.0 through 6.0.1
Vulnerability type (CWE) Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') (CWE-79)
Report source Own research

Description

CERT Polska during own research has found a vulnerability in Best Practical Request Tracker software and participated in coordination of its disclosure.

The vulnerability CVE-2025-9158: The Request Tracker software is vulnerable to a Stored XSS vulnerability in calendar invitation parsing feature, which displays invitation data without HTML sanitization. XSS vulnerability allows an attacker to send a specifically crafted e-mail enabling JavaScript code execution by displaying the ticket in the context of the logged-in user.

This vulnerability affects versions from 5.0.4 through 5.0.8 and from 6.0.0 through 6.0.1.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.