UBUNTU-CVE-2026-41073
- Source
- https://ubuntu.com/security/CVE-2026-41073
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-41073.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-41073
- Upstream
- Published
- 2026-05-22T22:16:00Z
- Modified
- 2026-05-27T19:15:17.770657721Z
- Severity
-
- 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Ubuntu - medium
- Summary
- [none]
- Details
-
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
- References
Affected packages
Ubuntu:16.04:LTS
request-tracker4
Package
- Name
- request-tracker4
- Purl
- pkg:deb/ubuntu/request-tracker4?arch=source&distro=xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "request-tracker4",
"binary_version": "4.2.12-5"
},
{
"binary_name": "rt4-apache2",
"binary_version": "4.2.12-5"
},
{
"binary_name": "rt4-clients",
"binary_version": "4.2.12-5"
},
{
"binary_name": "rt4-db-mysql",
"binary_version": "4.2.12-5"
},
{
"binary_name": "rt4-db-postgresql",
"binary_version": "4.2.12-5"
},
{
"binary_name": "rt4-db-sqlite",
"binary_version": "4.2.12-5"
},
{
"binary_name": "rt4-doc-html",
"binary_version": "4.2.12-5"
},
{
"binary_name": "rt4-fcgi",
"binary_version": "4.2.12-5"
},
{
"binary_name": "rt4-standalone",
"binary_version": "4.2.12-5"
}
]
}Ubuntu:20.04:LTS
request-tracker4
Package
- Name
- request-tracker4
- Purl
- pkg:deb/ubuntu/request-tracker4?arch=source&distro=focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "request-tracker4",
"binary_version": "4.4.3-2+deb10u3build0.20.04.1"
},
{
"binary_name": "rt4-apache2",
"binary_version": "4.4.3-2+deb10u3build0.20.04.1"
},
{
"binary_name": "rt4-clients",
"binary_version": "4.4.3-2+deb10u3build0.20.04.1"
},
{
"binary_name": "rt4-db-mysql",
"binary_version": "4.4.3-2+deb10u3build0.20.04.1"
},
{
"binary_name": "rt4-db-postgresql",
"binary_version": "4.4.3-2+deb10u3build0.20.04.1"
},
{
"binary_name": "rt4-db-sqlite",
"binary_version": "4.4.3-2+deb10u3build0.20.04.1"
},
{
"binary_name": "rt4-doc-html",
"binary_version": "4.4.3-2+deb10u3build0.20.04.1"
},
{
"binary_name": "rt4-fcgi",
"binary_version": "4.4.3-2+deb10u3build0.20.04.1"
},
{
"binary_name": "rt4-standalone",
"binary_version": "4.4.3-2+deb10u3build0.20.04.1"
}
]
}Ubuntu:22.04:LTS
request-tracker4
Package
- Name
- request-tracker4
- Purl
- pkg:deb/ubuntu/request-tracker4?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "request-tracker4",
"binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
},
{
"binary_name": "rt4-apache2",
"binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
},
{
"binary_name": "rt4-clients",
"binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
},
{
"binary_name": "rt4-db-mysql",
"binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
},
{
"binary_name": "rt4-db-postgresql",
"binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
},
{
"binary_name": "rt4-db-sqlite",
"binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
},
{
"binary_name": "rt4-doc-html",
"binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
},
{
"binary_name": "rt4-fcgi",
"binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
},
{
"binary_name": "rt4-standalone",
"binary_version": "4.4.4+dfsg-2ubuntu1.22.04.1"
}
]
}Ubuntu:24.04:LTS
request-tracker4
Package
- Name
- request-tracker4
- Purl
- pkg:deb/ubuntu/request-tracker4?arch=source&distro=noble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "request-tracker4",
"binary_version": "4.4.7+dfsg-1"
},
{
"binary_name": "rt4-apache2",
"binary_version": "4.4.7+dfsg-1"
},
{
"binary_name": "rt4-clients",
"binary_version": "4.4.7+dfsg-1"
},
{
"binary_name": "rt4-db-mysql",
"binary_version": "4.4.7+dfsg-1"
},
{
"binary_name": "rt4-db-postgresql",
"binary_version": "4.4.7+dfsg-1"
},
{
"binary_name": "rt4-db-sqlite",
"binary_version": "4.4.7+dfsg-1"
},
{
"binary_name": "rt4-doc-html",
"binary_version": "4.4.7+dfsg-1"
},
{
"binary_name": "rt4-fcgi",
"binary_version": "4.4.7+dfsg-1"
},
{
"binary_name": "rt4-standalone",
"binary_version": "4.4.7+dfsg-1"
}
]
}Ubuntu:25.10
request-tracker4
Package
- Name
- request-tracker4
- Purl
- pkg:deb/ubuntu/request-tracker4?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "request-tracker4",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-apache2",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-clients",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-db-mysql",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-db-postgresql",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-db-sqlite",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-doc-html",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-fcgi",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-standalone",
"binary_version": "4.4.7+dfsg-4syncable1"
}
]
}request-tracker5
Package
- Name
- request-tracker5
- Purl
- pkg:deb/ubuntu/request-tracker5?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "request-tracker5",
"binary_version": "5.0.7+dfsg-4"
},
{
"binary_name": "rt5-apache2",
"binary_version": "5.0.7+dfsg-4"
},
{
"binary_name": "rt5-clients",
"binary_version": "5.0.7+dfsg-4"
},
{
"binary_name": "rt5-db-mysql",
"binary_version": "5.0.7+dfsg-4"
},
{
"binary_name": "rt5-db-postgresql",
"binary_version": "5.0.7+dfsg-4"
},
{
"binary_name": "rt5-db-sqlite",
"binary_version": "5.0.7+dfsg-4"
},
{
"binary_name": "rt5-doc-html",
"binary_version": "5.0.7+dfsg-4"
},
{
"binary_name": "rt5-fcgi",
"binary_version": "5.0.7+dfsg-4"
},
{
"binary_name": "rt5-standalone",
"binary_version": "5.0.7+dfsg-4"
}
]
}Ubuntu:26.04:LTS
request-tracker4
Package
- Name
- request-tracker4
- Purl
- pkg:deb/ubuntu/request-tracker4?arch=source&distro=resolute
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "request-tracker4",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-apache2",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-clients",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-db-mysql",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-db-postgresql",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-db-sqlite",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-doc-html",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-fcgi",
"binary_version": "4.4.7+dfsg-4syncable1"
},
{
"binary_name": "rt4-standalone",
"binary_version": "4.4.7+dfsg-4syncable1"
}
]
}request-tracker5
Package
- Name
- request-tracker5
- Purl
- pkg:deb/ubuntu/request-tracker5?arch=source&distro=resolute
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "request-tracker5",
"binary_version": "5.0.7+dfsg-6"
},
{
"binary_name": "rt5-apache2",
"binary_version": "5.0.7+dfsg-6"
},
{
"binary_name": "rt5-clients",
"binary_version": "5.0.7+dfsg-6"
},
{
"binary_name": "rt5-db-mysql",
"binary_version": "5.0.7+dfsg-6"
},
{
"binary_name": "rt5-db-postgresql",
"binary_version": "5.0.7+dfsg-6"
},
{
"binary_name": "rt5-db-sqlite",
"binary_version": "5.0.7+dfsg-6"
},
{
"binary_name": "rt5-doc-html",
"binary_version": "5.0.7+dfsg-6"
},
{
"binary_name": "rt5-fcgi",
"binary_version": "5.0.7+dfsg-6"
},
{
"binary_name": "rt5-standalone",
"binary_version": "5.0.7+dfsg-6"
}
]
}Ubuntu:Pro:18.04:LTS
request-tracker4
Package
- Name
- request-tracker4
- Purl
- pkg:deb/ubuntu/request-tracker4?arch=source&distro=esm-apps%2Fbionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "request-tracker4",
"binary_version": "4.4.2-2ubuntu0.1~esm1"
},
{
"binary_name": "rt4-apache2",
"binary_version": "4.4.2-2ubuntu0.1~esm1"
},
{
"binary_name": "rt4-clients",
"binary_version": "4.4.2-2ubuntu0.1~esm1"
},
{
"binary_name": "rt4-db-mysql",
"binary_version": "4.4.2-2ubuntu0.1~esm1"
},
{
"binary_name": "rt4-db-postgresql",
"binary_version": "4.4.2-2ubuntu0.1~esm1"
},
{
"binary_name": "rt4-db-sqlite",
"binary_version": "4.4.2-2ubuntu0.1~esm1"
},
{
"binary_name": "rt4-doc-html",
"binary_version": "4.4.2-2ubuntu0.1~esm1"
},
{
"binary_name": "rt4-fcgi",
"binary_version": "4.4.2-2ubuntu0.1~esm1"
},
{
"binary_name": "rt4-standalone",
"binary_version": "4.4.2-2ubuntu0.1~esm1"
}
]
}Ubuntu:Pro:22.04:LTS
request-tracker5
Package
- Name
- request-tracker5
- Purl
- pkg:deb/ubuntu/request-tracker5?arch=source&distro=esm-apps%2Fjammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "request-tracker5",
"binary_version": "5.0.1+dfsg-1ubuntu1+esm1"
},
{
"binary_name": "rt5-apache2",
"binary_version": "5.0.1+dfsg-1ubuntu1+esm1"
},
{
"binary_name": "rt5-clients",
"binary_version": "5.0.1+dfsg-1ubuntu1+esm1"
},
{
"binary_name": "rt5-db-mysql",
"binary_version": "5.0.1+dfsg-1ubuntu1+esm1"
},
{
"binary_name": "rt5-db-postgresql",
"binary_version": "5.0.1+dfsg-1ubuntu1+esm1"
},
{
"binary_name": "rt5-db-sqlite",
"binary_version": "5.0.1+dfsg-1ubuntu1+esm1"
},
{
"binary_name": "rt5-doc-html",
"binary_version": "5.0.1+dfsg-1ubuntu1+esm1"
},
{
"binary_name": "rt5-fcgi",
"binary_version": "5.0.1+dfsg-1ubuntu1+esm1"
},
{
"binary_name": "rt5-standalone",
"binary_version": "5.0.1+dfsg-1ubuntu1+esm1"
}
]
}Ubuntu:Pro:24.04:LTS
request-tracker5
Package
- Name
- request-tracker5
- Purl
- pkg:deb/ubuntu/request-tracker5?arch=source&distro=esm-apps%2Fnoble
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Ecosystem specific
{
"binaries": [
{
"binary_name": "request-tracker5",
"binary_version": "5.0.5+dfsg-2ubuntu0.1~esm1"
},
{
"binary_name": "rt5-apache2",
"binary_version": "5.0.5+dfsg-2ubuntu0.1~esm1"
},
{
"binary_name": "rt5-clients",
"binary_version": "5.0.5+dfsg-2ubuntu0.1~esm1"
},
{
"binary_name": "rt5-db-mysql",
"binary_version": "5.0.5+dfsg-2ubuntu0.1~esm1"
},
{
"binary_name": "rt5-db-postgresql",
"binary_version": "5.0.5+dfsg-2ubuntu0.1~esm1"
},
{
"binary_name": "rt5-db-sqlite",
"binary_version": "5.0.5+dfsg-2ubuntu0.1~esm1"
},
{
"binary_name": "rt5-doc-html",
"binary_version": "5.0.5+dfsg-2ubuntu0.1~esm1"
},
{
"binary_name": "rt5-fcgi",
"binary_version": "5.0.5+dfsg-2ubuntu0.1~esm1"
},
{
"binary_name": "rt5-standalone",
"binary_version": "5.0.5+dfsg-2ubuntu0.1~esm1"
}
]
}