Spreadsheet Injection Vulnerability in RT Ticket Tracking System
CVE-2026-41073

4.6MEDIUM

Key Information:

Vendor

Bestpractical

Status
Rt
Vendor
CVE Published:
22 May 2026

What is CVE-2026-41073?

The RT ticket tracking system suffers from a spreadsheet (CSV/formula) injection vulnerability where user-supplied data in spreadsheet exports is not adequately sanitized. This flaw allows crafted values to be interpreted as formulas or macros by spreadsheet applications upon opening the affected files. It is crucial for users of RT versions prior to 5.0.10 and 6.0.0 through 6.0.2 to upgrade to the latest versions (5.0.10 or 6.0.3) to mitigate this risk. Developers who cannot upgrade immediately should refrain from directly opening exported files containing untrusted user input in any spreadsheet application to avoid potential exploitation.

Affected Version(s)

rt < 5.0.10 < 5.0.10

rt >= 6.0.0, < 6.0.3 < 6.0.0, 6.0.3

References

https://github.com/bestpractical/rt/security/advisories/G...
x_refsource_CONFIRM
https://github.com/bestpractical/rt/releases/tag/rt-5.0.10
x_refsource_MISC
https://github.com/bestpractical/rt/releases/tag/rt-6.0.3
x_refsource_MISC

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.