Request Tracker CVE-2026-41073
MEDIUMCVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionNVD
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
AnalysisAI
Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to embed malicious formulas in ticket fields that execute when an administrator or staff member exports data to CSV and opens the file in a spreadsheet application. Affected versions span the entire RT 5.0 line prior to 5.0.10 and RT 6.0.0 through 6.0.2. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today