CVE-2025-61873

EUVD-2026-2878
Best Practical Request Tracker (RT) before 4.4.9, 5.0.9, and 6.0.2 allows CSV Injection via ticket values when TSV export is used.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
mitreCNA
2.6 LOW
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
bestpracticalrequest_tracker
𝑥
< 4.4.9
CNA
bestpracticalrequest_tracker
5.0 ≤
𝑥
< 5.0.9
CNA
bestpracticalrequest_tracker
6.0 ≤
𝑥
< 6.0.2
CNA
Debian logo
Debian Releases
Debian Product
Codename
request-tracker4
bookworm
4.4.6+dfsg-1.1+deb12u4
fixed
bookworm (security)
4.4.6+dfsg-1.1+deb12u4
fixed
bullseye
vulnerable
bullseye (security)
4.4.4+dfsg-2+deb11u5
fixed
request-tracker5
bookworm
5.0.3+dfsg-3~deb12u6
fixed
bookworm (security)
5.0.3+dfsg-3~deb12u6
fixed
forky
5.0.10+dfsg-3
fixed
sid
5.0.10+dfsg-3
fixed
trixie
5.0.7+dfsg-4+deb13u3
fixed
trixie (security)
5.0.7+dfsg-4+deb13u3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
request-tracker4
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
ignored
resolute
needs-triage
xenial
ignored
request-tracker5
jammy
not-affected
noble
not-affected
plucky
ignored
questing
not-affected
resolute
not-affected