Security

SECURITY.md

Reporting Security Vulnerabilities

If you believe you've discovered a security issue in RT, please send an email to security@bestpractical.com with a detailed description of the issue, and a secure means to respond to you (such as your PGP public key). You can find our PGP key and fingerprint at https://bestpractical.com/security/.

Reflected Cross-Site Scripting in search results chart
GHSA-p724-v26h-32g9 published May 20, 2026 by cbrandtbuffalo

Moderate
Privilege escalation and information disclosure via REST 2.0 user collection endpoint
GHSA-7rx2-x357-wv74 published May 20, 2026 by cbrandtbuffalo

Critical
Cross-Site Scripting via inline-served uploaded content
GHSA-x576-pvwp-c2qv published May 20, 2026 by cbrandtbuffalo

Moderate
Stored Cross-Site Scripting via insufficient template escaping
GHSA-pfgp-5j8g-phgc published May 20, 2026 by cbrandtbuffalo

Moderate
Reflected Cross-Site Scripting via URL parameters
GHSA-7742-fhq7-ggv9 published May 20, 2026 by cbrandtbuffalo

Moderate
LDAP authentication bypass via empty password
GHSA-3w28-fmcr-mjjx published May 20, 2026 by cbrandtbuffalo

High
SQL injection via entry_aggregator parameter in JSON search
GHSA-7vf8-xv7w-97c6 published May 20, 2026 by cbrandtbuffalo

High
CSRF protection broken for authenticated users in RT 6
GHSA-265j-qx4w-256j published May 20, 2026 by cbrandtbuffalo

High
Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
GHSA-6x92-7v65-7m3r published May 20, 2026 by cbrandtbuffalo

Moderate

Learn more about advisories related to bestpractical/rt in the GitHub Advisory Database