CVE-2026-27644 - Vulnerability Details

- traccar allows CSV formula injection via exported position data

Description

Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.

Published: 2026-05-05

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when the CSV export provider writes position data to a CSV file without escaping user‑controlled fields. This allows an attacker to embed spreadsheet formulas such as =CMD|… into fields that appear in exported files. When a system administrator or manager opens the file in common spreadsheet software, the formula is evaluated, potentially triggering abnormal execution or data exfiltration. The flaw thus enables the attacker to run arbitrary code or exfiltrate data from the environment.

Affected Systems

The issue affects the Traccar GPS tracking platform, specifically versions 6.11.1 through 6.13.0. The vulnerable functionality resides in the CsvExportProvider component of the server. Any installation of Traccar within that version range that utilizes the CSV export feature is susceptible. Versions 6.13.0 and later contain the remedial patch and are not affected.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. No EPSS score is reported and the vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation is currently known. However, the attack requires an attacker to supply data that will be exported and a victim to open the file, meaning the vector is limited but still significant for environments where privileged users frequently process exported data. Because the risk remains actionable, administrators should not delay remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

traccar

affected

Version	Status	Constraints
`>= 6.11.1 , < 6.13.0`	affected	—

traccar

affected

Version	Status	Constraints
`>= 6.11.1 , < 6.13.0`	affected	—

No data.

Vendor Product Confidence Versions

Traccar

100%

Version	Status	Scheme	Platform
`[6.11.1,6.13.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Traccar to version 6.13.0 or later to apply the vendor fix.
Disable or restrict the CSV export feature for users who do not require it.
Verify that exported files are scanned or opened within a sandboxed spreadsheet environment to prevent automatic execution of formulas.

Generated by OpenCVE AI on May 5, 2026 at 13:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/traccar/traccar/blob/v6.11.1/src/main/java/org/traccar/reports/CsvExportProvider.java#L89-L91
https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7

History

Tue, 05 May 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Traccar Traccar traccar
Vendors & Products		Traccar Traccar traccar

Tue, 05 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 05 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.
Title		traccar allows CSV formula injection via exported position data
Weaknesses		CWE-1236
References		https://github.com/traccar/traccar/blob/v6.11.1/src/main/java/org/traccar/reports/CsvExportProvider.java#L89-L91 https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}`

Subscriptions

Traccar Traccar

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-05T12:12:49.342Z

Updated: 2026-05-05T13:11:01.742Z

Reserved: 2026-02-20T22:02:30.029Z

Link: CVE-2026-27644

Vulnrichment

Updated: 2026-05-05T13:10:51.793Z

NVD

Status : Received

Published: 2026-05-05T13:16:27.807

Modified: 2026-05-05T14:16:08.407

Link: CVE-2026-27644

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T14:30:25Z

Weaknesses

CWE-1236

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object