Skip to main content

Request Tracker CVE-2026-41073

MEDIUM
Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
2026-05-22 GitHub_M
4.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.6 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 22, 2026 - 21:46 vuln.today
Analysis Generated
May 22, 2026 - 21:46 vuln.today

DescriptionGitHub Advisory

RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.

AnalysisAI

Spreadsheet formula injection in Best Practical Request Tracker (RT) allows a low-privileged authenticated attacker to embed malicious formulas in ticket fields that execute when an administrator or staff member exports data to CSV and opens the file in a spreadsheet application. Affected versions span the entire RT 5.0 line prior to 5.0.10 and RT 6.0.0 through 6.0.2. No public exploit code has been identified at time of analysis and no CISA KEV listing exists, but the attack surface is broad given that CSV exports are a routine administrative workflow in ticketing systems.

Technical ContextAI

RT (Request Tracker) by Best Practical Solutions is an open-source enterprise ticketing platform. The affected component is its spreadsheet export feature, which serializes ticket data - including user-controlled fields such as subject lines, comments, and custom fields - into CSV or Excel-compatible output without sanitizing values that begin with formula-triggering characters (=, +, -, @, TAB, CR). CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) describes exactly this root cause: the application treats user input as raw data but spreadsheet parsers like Microsoft Excel and LibreOffice Calc evaluate leading formula characters as executable instructions upon file open. The CPE cpe:2.3:a:bestpractical:rt:*:*:*:*:*:*:*:* covers all RT versions; the vendor-confirmed affected range is RT < 5.0.10 and RT 6.0.0 through 6.0.2.

RemediationAI

Upgrade to RT 5.0.10 (released 2026-05-20, SHA-256: 508b8d401273da4fe1c47e642ecb6017939ef560e9cfdfeb8d18ef41e4dbc5e6, available at https://download.bestpractical.com/pub/rt/release/rt-5.0.10.tar.gz) or RT 6.0.3 (tagged at https://github.com/bestpractical/rt/releases/tag/rt-6.0.3). The vendor notes this release also addresses higher-severity issues (CVE-2026-44231, CVE-2026-41075) making prompt upgrade strongly advisable. If immediate upgrade is not feasible, the vendor-recommended workaround is to avoid opening RT-exported CSV/spreadsheet files directly in desktop spreadsheet applications such as Excel or LibreOffice Calc when the underlying ticket data may contain untrusted user input. A practical compensating control is to import exports into a spreadsheet with formula evaluation disabled (e.g., Excel's 'Data > From Text/CSV' import with 'Disable formula evaluation' policy enforced via Group Policy) rather than double-clicking the file - this eliminates execution risk without disrupting the reporting workflow. Restricting RT account creation to vetted internal users reduces the attacker's ability to inject malicious content.

More in Rt

View all
CVE-2026-41075 HIGH
8.8 May 22

Authenticated SQL injection in Best Practical's Request Tracker (RT) ticketing system affects versions 5.0.0-5.0.9 and 6

CVE-2026-41076 HIGH
8.1 May 22

Authentication bypass in Best Practical's Request Tracker (RT) versions 5.0.9 and prior, and 6.0.0 through 6.0.2, allows

CVE-2026-41074 HIGH
7.1 May 22

Cross-site request forgery in Best Practical Request Tracker (RT) versions 6.0.0 through 6.0.2 allows remote attackers t

CVE-2013-3370 MEDIUM
6.8 Aug 23

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 does not properly restrict access to private callback c

CVE-2012-4732 MEDIUM
6.8 Nov 11

Cross-site request forgery (CSRF) vulnerability in Request Tracker (RT) 3.8.12 and other versions before 3.8.15, and 4.0

CVE-2013-3369 MEDIUM
6.0 Aug 23

Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote authenticated users with the permissions

CVE-2012-4733 MEDIUM
6.0 Aug 23

Request Tracker (RT) 4.x before 4.0.13 does not properly enforce the DeleteTicket and "custom lifecycle transition" perm

CVE-2014-1474 MEDIUM
5.0 Jul 15

Algorithmic complexity vulnerability in Email::Address::List before 0.02, as used in RT 4.2.0 through 4.2.2, allows remo

CVE-2013-3373 MEDIUM
5.0 Aug 23

CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers

CVE-2012-4884 MEDIUM
5.0 Nov 11

Argument injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attack

CVE-2012-4734 MEDIUM
5.0 Nov 11

Request Tracker (RT) 3.8.x before 3.8.15 and 4.0.x before 4.0.8 allows remote attackers to conduct a "confused deputy" a

CVE-2013-3374 MEDIUM
4.3 Aug 23

Unspecified vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13, when using the Apache::Se

Share

CVE-2026-41073 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy