CVE-2026-41075 RT: SQL injection via entry_aggregator parameter in JSON search

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing th...

CVE-2026-41075 RT: SQL injection via entry_aggregator parameter in JSON search

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 5.0.0 through 5.0.9 and 6.0.0 through 6.0.2 contain an SQL injection vulnerability. An authenticated user can craft input that is incorporated into database queries without proper validation, potentially allowing th...

CVE-2026-41075

RT (Request Tracker) is affected by an SQL injection in the JSON search path via the entry_aggregator parameter. Affected versions: 5.0.0–5.0.9 and 6.0.0–6.0.2. Root cause: input incorporated into queries without proper validation, enabling authenticated users to read or modify RT database data. ...

CVE-2022-35493

A Cross-site scripting XSS vulnerability in json search parse and the json response in wrteam.in, eShop - Multipurpose Ecommerce Store Website version 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the getproducts?search parameter...

EUVD-2022-38381

Malicious code in bioql PyPI...

Malicious code in json-search (npm)

The package json-search was found to contain malicious code...

MAL-2025-23957 Malicious code in json-search (npm)

The package json-search was found to contain malicious code...

Cross site scripting

A Cross-site scripting XSS vulnerability in json search parse and the json response in wrteam.in, eShop - Multipurpose Ecommerce Store Website version 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the getproducts?search parameter...

HackerOne: Private Program and bounty details disclosed as part of JSON search response

Hello Hackerone Team !!!! Few days ago invited me for Private disclose !!! Yesterday I saw fix of this report 80597 So,I deepdigger the JSON serach Response for example I search this directory https://hackerone.com/████ https://hackerone.com/████; Now I access without authentication and i saw the...

HackerOne: Number of invited researchers disclosed as part of JSON search response

I was informed via email that the bug I tweeted about https://twitter.com/jessescitech/status/623976563177070594 is actually a security issue, and the number of search results returned is the number of invited researchers for the team. I can't actually verify this, but the email said that a fix i...