CVE-2026-41073

Source
https://cve.org/CVERecord?id=CVE-2026-41073
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41073.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-41073
Aliases
  • GHSA-6x92-7v65-7m3r
Downstream
Published
2026-05-22T21:10:22.249Z
Modified
2026-07-08T08:13:13.343034060Z
Severity
  • 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
Summary
RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
Details

RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/41xxx/CVE-2026-41073.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-1236"
    ]
}
References

Affected packages

Git / github.com/bestpractical/rt

Affected ranges

Type
GIT
Repo
https://github.com/bestpractical/rt
Events
Database specific
{
    "source": [
        "DESCRIPTION",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.0.2"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-41073.json"