CVE-2026-27644 PUBLISHED

traccar allows CSV formula injection via exported position data

Assigner: GitHub_M
Reserved: 20.02.2026 Published: 05.05.2026 Updated: 05.05.2026

Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CVSS Score: 6.5

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	traccar
Product	traccar
Versions	Version >= 6.11.1 , < 6.13.0 is affected

Vendor	traccar
Product	traccar
Versions	Version >= 6.11.1 , < 6.13.0 is affected

References

Problem Types

CWE-1236: Improper Neutralization of Formula Elements in a CSV File CWE