Description
Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.
References (1)
Core 1
Core References
Various Sources
https://docs.bestpractical.com/release-notes/rt/index.html
Scores
CVSS v3
2.6
EPSS
0.0019
EPSS Percentile
9.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1236
Status
published
Products (3)
bestpractical/Request Tracker
< 4.4.9
bestpractical/Request Tracker
5.0 - 5.0.9
bestpractical/Request Tracker
6.0 - 6.0.2
Published
Jan 16, 2026
Tracked Since
Feb 18, 2026