CVE-2025-61873Improper Neutralization of Formula Elements in a CSV File in Request Tracker

CWE-1236Improper Neutralization of Formula Elements in a CSV File5 documents5 sources
Severity
2.6LOWNVD
EPSS
0.0%
top 99.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Bestpractical Request TrackerDebian Request-tracker4Debian Request-tracker5
Timeline
PublishedJan 16

Description

Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:NExploitability: 1.0 | Impact: 1.4

Affected Packages3 packages

CVEListV5bestpractical/request_tracker5.05.0.9+2
debiandebian/request-tracker4< request-tracker4 4.4.6+dfsg-1.1+deb12u3 (bookworm)
debiandebian/request-tracker5< request-tracker4 4.4.6+dfsg-1.1+deb12u3 (bookworm)

🔴Vulnerability Details

2
GHSA
GHSA-3rc2-78m3-cqmh: Best Practical Request Tracker (RT) before 42026-01-16
OSV
CVE-2025-61873: Best Practical Request Tracker (RT) before 42026-01-16

📋Vendor Advisories

1
Debian
CVE-2025-61873: request-tracker4 - Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV In...2025

🕵️Threat Intelligence

1
Wiz
CVE-2025-61873 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2025-61873 — Request Tracker vulnerability | cvebase