RT 5.0.10 Security Advisory: LPE, SQLi, LDAP Bypass, XSS & CSV Injection CVEs

RT 5.0.10 Security Vulnerability Summary Vulnerability Overview RT version 5.0.10 addresses multiple critical security vulnerabilities, including privilege escalation, SQL injection, LDAP authentication bypass, reflected cross-site scripting (XSS), and CSV injection. Affected Scope CVE-2026-42231: A privilege escalation vulnerability exists in the REST 2.0 user collection endpoint, allowing attackers to obtain authentication credentials of other users (including administrators) and read RSS/iCal data. CVE-2026-41075: An SQL injection vulnerability exists in the parameter, enabling attackers to craft inputs to modify database content. CVE-2026-41076: An LDAP authentication bypass vulnerability allows attackers to authenticate as LDAP users without valid credentials under specific configurations. CVE-2026-6841: A reflected XSS vulnerability exists in the "Page" URL parameter on the search page. CVE-2026-44227: A reflected XSS vulnerability exists in additional URL parameters on the search page. CVE-2026-44230: A reflected XSS vulnerability exists in the chart page of search results. CVE-2026-44229: A cross-site scripting vulnerability exists when uploaded content is provided as attachments. CVE-2026-41073: A CSV/formula injection vulnerability where data exported to spreadsheets is not sanitized, potentially leading to malicious formula execution. Remediation Upgrade to RT version 5.0.10. Download links: - https://download.bestpractical.com/pub/rt/release/rt-5.0.10.tar.gz - https://download.bestpractical.com/pub/rt/release/rt-5.0.10.tar.gz.asc SHA256 checksums:

Goal Reached Thanks to every supporter — we hit 100%!

RT 5.0.10 Security Advisory: LPE, SQLi, LDAP Bypass, XSS & CSV Injection CVEs

More from this source