Description
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
Published: 2026-05-22
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue arises from unsanitized user data in spreadsheet exports, allowing CSV or formula injection. When a compromised spreadsheet is opened in Excel or other compatible applications, the injected values can be interpreted as formulas or macros, potentially enabling an attacker to execute arbitrary code or read sensitive data. This injection threatens confidentiality, integrity, and can lead to unintended workflow interruption.

Affected Systems

The vulnerability affects the RT issue and ticket tracking system distributed by Best Practical, specifically versions prior to 5.0.10 and 6.0.0 through 6.0.2. These releases are still used in some deployments; the workaround notes that the issue is fixed in 5.0.10 and 6.0.3.

Risk and Exploitability

The CVSS score of 4.6 places it in the moderate range. EPSS is available but not provided, and it is not listed in CISA KEV. Exploitation requires an exported spreadsheet containing malicious content to be opened by a victim in a spreadsheet application; no network exploit is described. Because the attack depends on user interaction, the effective threat is limited to environments where exporting and opening spreadsheet data is common. Nevertheless, if the spreadsheet is opened automatically or macros are enabled, an attacker could run code or exfiltrate data.

Generated by OpenCVE AI on May 22, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RT to version 5.0.10 or 6.0.3 or later.
  • If upgrade is not possible, avoid opening exported RT spreadsheet files directly in a spreadsheet application when data may contain untrusted user input.
  • Disable or restrict macro execution in the spreadsheet application and consider using a viewer that does not automatically evaluate formulas.

Generated by OpenCVE AI on May 22, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 23 May 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 23 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Bestpractical
Bestpractical rt
Vendors & Products Bestpractical
Bestpractical rt

Fri, 22 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
Title RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
Weaknesses CWE-1236
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Bestpractical Rt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-23T02:57:38.966Z

Reserved: 2026-04-16T16:43:03.174Z

Link: CVE-2026-41073

cve-icon Vulnrichment

Updated: 2026-05-23T02:57:33.496Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-23T00:00:04Z

Weaknesses