Home

Description

Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.

PUBLISHED Reserved 2025-10-03 | Published 2026-01-16 | Updated 2026-01-16 | Assigner mitre




LOW: 2.6CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N

Problem types

CWE-1236 Improper Neutralization of Formula Elements in a CSV File

Product status

Default status
unaffected

Any version before 4.4.9
affected

5.0 (custom) before 5.0.9
affected

6.0 (custom) before 6.0.2
affected

References

docs.bestpractical.com/release-notes/rt/index.html

cve.org (CVE-2025-61873)

nvd.nist.gov (CVE-2025-61873)

Download JSON