Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.
AnalysisAI
Traccar versions 6.11.1 through 6.13.0 fail to escape user-controlled device and computed attributes in CSV export functionality, allowing authenticated attackers to inject spreadsheet formulas that execute when a manager or administrator opens the exported file, potentially leading to command execution or data exfiltration. The vulnerability requires user interaction (opening the CSV) but affects all confidentiality, integrity, and availability once exploitation occurs. Patch available in version 6.13.0.
Technical ContextAI
The vulnerability exists in Traccar's CSV export provider (CsvExportProvider.java), which writes position data directly to CSV output without sanitizing formula injection characters. Spreadsheet applications like Microsoft Excel, Google Sheets, and LibreOffice interpret cells beginning with '=', '+', '-', or '@' as formulas, allowing attackers to craft malicious expressions through device names or custom attributes stored in the Traccar database. CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) describes this class of flaw where untrusted data in spreadsheet-parseable formats can bypass input validation. The attack surface includes any CSV export endpoint that includes user-controllable fields (device names, attribute values) without escaping.
RemediationAI
Upgrade Traccar to version 6.13.0 or later to obtain the vendor-released patch that properly escapes formula characters in CSV output. Administrators running versions 6.11.1 through 6.13.0-rc should prioritize this upgrade as a security update. Until patching is complete, temporary compensating controls include: restrict CSV export functionality to administrators only (via Traccar role-based access controls), educate end users to disable formula evaluation warnings in spreadsheet software or configure spreadsheet applications to not auto-execute formulas on file open (though this is not a reliable mitigation), and monitor for suspicious CSV exports by reviewing audit logs for export activity. Restrict device naming and custom attribute input to alphanumeric characters and safe symbols (avoiding '=', '+', '-', '@') via input validation if backend changes are possible before upgrade.
Traccar is an open source GPS tracking system. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploi
Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by
Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes th
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijack
Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by settin
Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Auth
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. Rated medium severity (CVSS 6.5), thi
Traccar is an open source GPS tracking system. Rated medium severity (CVSS 6.3), this vulnerability is no authentication
XML injection in Traccar 6.11.1 through 6.12.x allows authenticated users with low privileges to inject malicious XML in
Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject ma
Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to ove
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27306