PatchSiren cyber security CVE debrief
CVE-2026-41073 bestpractical CVE debrief
CVE-2026-41073 is a spreadsheet formula injection vulnerability in RT (Request Tracker), an open-source enterprise issue and ticket tracking system. The vulnerability exists because user-controlled data in spreadsheet exports is not sanitized before being written to output files, allowing crafted values to be interpreted as formulas or macros when opened in spreadsheet applications. This affects versions prior to 5.0.10 and versions 6.0.0 through 6.0.2. The issue was published on May 22, 2026, and last modified on May 26, 2026. The vulnerability is classified as CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) and carries a CVSS 3.1 score of 4.6 (Medium severity). Fixes are available in versions 5.0.10 and 6.0.3.
- Vendor
- bestpractical
- Product
- rt
- CVSS
- MEDIUM 4.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-22
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-22
- Advisory updated
- 2026-05-26
Who should care
Organizations using RT (Request Tracker) for issue and ticket tracking, particularly those that export ticket data to spreadsheet formats for reporting or analysis. Security teams responsible for vulnerability management in open-source ticketing systems. System administrators managing RT installations. Users who regularly open exported RT data in spreadsheet applications.
Technical summary
The vulnerability stems from improper neutralization of formula elements in CSV/spreadsheet export functionality. When RT exports ticket data to spreadsheet formats, user-controlled input fields (such as ticket subjects, comments, or custom fields) are written to the output file without sanitization of formula-triggering characters. Spreadsheet applications like Microsoft Excel, LibreOffice Calc, or Google Sheets interpret strings beginning with '=' or other formula indicators as executable formulas. An attacker with the ability to submit ticket data containing malicious payloads could craft values that execute when an administrator or analyst opens the exported file. The CVSS vector indicates network accessibility, low attack complexity, requirement for low privileges, and necessary user interaction. The vulnerability does not appear to be exploitable without user interaction (opening the malicious file). Confidentiality and integrity impacts are rated as low, with no availability impact. The fix in versions 5.0.10 and 6.0.3 presumably implements output encoding or prefixing of dangerous characters to prevent formula interpretation.
Defensive priority
medium
Recommended defensive actions
- Upgrade RT to version 5.0.10 or 6.0.3 or later to remediate the spreadsheet formula injection vulnerability.
- If immediate upgrade is not feasible, avoid opening exported RT spreadsheet files directly in spreadsheet applications when data may contain untrusted user input.
- Consider implementing additional input validation and output sanitization for spreadsheet export functionality as a defense-in-depth measure.
- Review and update security awareness training to include risks associated with opening untrusted spreadsheet files.
- Monitor for security updates from Best Practical Solutions for RT.
Evidence notes
Vulnerability description and affected versions derived from official CVE record and GitHub Security Advisory GHSA-6x92-7v65-7m3r. CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N confirms network attack vector with low attack complexity, requiring low privileges and user interaction. CWE-1236 classification sourced from [email protected]. Fix versions 5.0.10 and 6.0.3 confirmed via GitHub release tags.
Official resources
2026-05-22