4.6
CVE-2026-41073
- EPSS 0.17%
- Veröffentlicht 22.05.2026 21:10:22
- Zuletzt bearbeitet 26.05.2026 20:03:14
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
RT: Spreadsheet downloads vulnerable to CSV/formula injection in Microsoft Excel and similar apps
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerbestpractical
≫
Produkt
rt
Version
< 5.0.10
Status
affected
Version
>= 6.0.0, < 6.0.3
Status
affected
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.17% | 0.061 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 4.6 | 2.1 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
|
CWE-1236 Improper Neutralization of Formula Elements in a CSV File
The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.
https://github.com/bestpractical/rt/security/advisories/GHSA-6x92-7v65-7m3r
https://github.com/bestpractical/rt/releases/tag/rt-5.0.10
https://github.com/bestpractical/rt/releases/tag/rt-6.0.3