CSV Injection Vulnerability in Best Practical Request Tracker
CVE-2025-61873

2.6LOW

Key Information:

Vendor: Bestpractical
Status: Request Tracker
Vendor: CVE Published:; 16 January 2026

🔔 Create Bestpractical Vulnerability Alert

What is CVE-2025-61873?

The Best Practical Request Tracker (RT) application is susceptible to a CSV Injection vulnerability, which arises when exporting ticket values in TSV format. This issue can enable attackers to manipulate CSV files, potentially allowing for unauthorized actions when the exported data is imported into spreadsheet applications. Versions affected include those prior to 4.4.9, 5.0.9, and 6.0.2. Users of these versions are advised to upgrade to mitigate the risk.

Affected Version(s)

Request Tracker 0 < 4.4.9

Request Tracker 5.0 < 5.0.9

Request Tracker 6.0 < 6.0.2

References

https://docs.bestpractical.com/release-notes/rt/index.html

CVSS V3.1

Score:

2.6

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 16, 2026
Vulnerability Reserved
Oct 3, 2025

CVE-2025-61873 Data

JSON