CVE-2026-41073
Publication date 22 May 2026
Last updated 6 July 2026
Ubuntu priority
Cvss 3 Severity Score
Description
RT is an open source, enterprise-grade issue and ticket tracking system. Versions prior to 5.0.10 and 6.0.0 through 6.0.2 contain a spreadsheet (CSV/formula) injection vulnerability. User-controlled data in spreadsheet exports is not sanitized before being written to the output file, which can cause spreadsheet applications to interpret crafted values as formulas or macros when the file is opened. This issue has been fixed in versions 5.0.10 and 6.0.3. If developers are unable to upgrade immediately, they can temporarily work around this issue by avoiding opening exported RT spreadsheet files directly in spreadsheet applications when the data may contain untrusted user input.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| request-tracker5 | 26.04 LTS resolute |
Fixed 5.0.7+dfsg-6ubuntu0.1~esm1
|
| 25.10 questing |
Vulnerable
|
|
| 24.04 LTS noble |
Fixed 5.0.5+dfsg-2ubuntu0.1~esm2
|
|
| 22.04 LTS jammy |
Fixed 5.0.1+dfsg-1ubuntu1+esm2
|
|
| request-tracker4 | 26.04 LTS resolute |
Needs evaluation
|
| 25.10 questing |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 20.04 LTS focal |
Needs evaluation
|
|
| 18.04 LTS bionic |
Needs evaluation
|
Get expanded security coverage with Ubuntu Pro
Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.
Get Ubuntu Pro 30-day free trialSeverity score breakdown
CVSS version: CVSS v3.0
Base score
4.6 · Medium
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
References
Related Ubuntu Security Notices (USN)
- USN-8506-1
- Request Tracker vulnerabilities
- 6 July 2026