CVE-2026-41073
published 2026-05-22CVE-2026-41073: RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula)…
PriorityP425medium4.6CVSS 3.1
AVNACLPRLUIRSUCLILAN
EPSS
0.17%
6.1th percentile
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bestpractical | rt | < 5.0.10 | 5.0.10 |
| bestpractical | rt | — | — |
CVSS provenance
nvdv3.14.6MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
cvelistv5v3.14.6MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
bestpractical rt up to 5.0.9/6.0.2 csv injection (GHSA-6x92-7v65-7m3r)
vuldb·2026-05-23
CVE-2026-41073 [LOW] bestpractical rt up to 5.0.9/6.0.2 csv injection (GHSA-6x92-7v65-7m3r)
A vulnerability has been found in bestpractical rt up to 5.0.9/6.0.2 and classified as problematic. Affected by this vulnerability is an unknown functionality. Performing a manipulation results in csv injection.
This vulnerability is reported as CVE-2026-41073. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
CVEList
RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
cvelistv5·2026-05-22·CVSS 4.6
CVE-2026-41073 [MEDIUM] CWE-1236 RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
No detection rules found.
No public exploits indexed.
2026-05-22
Published