Vulnerability Description
Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Traccar | Traccar | >= 6.11.1, < 6.13.0 |
Related Weaknesses (CWE)
References
- https://github.com/traccar/traccar/blob/v6.11.1/src/main/java/org/traccar/reportProduct
- https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7ExploitVendor AdvisoryMitigation
- https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7ExploitVendor AdvisoryMitigation
FAQ
What is CVE-2026-27644?
CVE-2026-27644 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CS...
How severe is CVE-2026-27644?
CVE-2026-27644 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27644?
Check the references section above for vendor advisories and patch information. Affected products include: Traccar Traccar.