Skip to main content

Traccar GPS Tracking EUVDEUVD-2026-27306

| CVE-2026-27644 MEDIUM
Improper Neutralization of Formula Elements in a CSV File (CWE-1236)
2026-05-05 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
May 05, 2026 - 14:01 EUVD
Analysis Generated
May 05, 2026 - 13:30 vuln.today

DescriptionGitHub Advisory

Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.

AnalysisAI

Traccar versions 6.11.1 through 6.13.0 fail to escape user-controlled device and computed attributes in CSV export functionality, allowing authenticated attackers to inject spreadsheet formulas that execute when a manager or administrator opens the exported file, potentially leading to command execution or data exfiltration. The vulnerability requires user interaction (opening the CSV) but affects all confidentiality, integrity, and availability once exploitation occurs. Patch available in version 6.13.0.

Technical ContextAI

The vulnerability exists in Traccar's CSV export provider (CsvExportProvider.java), which writes position data directly to CSV output without sanitizing formula injection characters. Spreadsheet applications like Microsoft Excel, Google Sheets, and LibreOffice interpret cells beginning with '=', '+', '-', or '@' as formulas, allowing attackers to craft malicious expressions through device names or custom attributes stored in the Traccar database. CWE-1236 (Improper Neutralization of Formula Elements in a CSV File) describes this class of flaw where untrusted data in spreadsheet-parseable formats can bypass input validation. The attack surface includes any CSV export endpoint that includes user-controllable fields (device names, attribute values) without escaping.

RemediationAI

Upgrade Traccar to version 6.13.0 or later to obtain the vendor-released patch that properly escapes formula characters in CSV output. Administrators running versions 6.11.1 through 6.13.0-rc should prioritize this upgrade as a security update. Until patching is complete, temporary compensating controls include: restrict CSV export functionality to administrators only (via Traccar role-based access controls), educate end users to disable formula evaluation warnings in spreadsheet software or configure spreadsheet applications to not auto-execute formulas on file open (though this is not a reliable mitigation), and monitor for suspicious CSV exports by reviewing audit logs for export activity. Restrict device naming and custom attribute input to alphanumeric characters and safe symbols (avoiding '=', '+', '-', '@') via input validation if backend changes are possible before upgrade.

CVE-2024-31214 CRITICAL POC
9.6 Apr 10

Traccar is an open source GPS tracking system. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploi

CVE-2026-25648 HIGH POC
8.7 Feb 23

Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by

CVE-2026-25649 HIGH POC
7.3 Feb 23

Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes th

CVE-2025-68930 HIGH POC
7.1 Feb 23

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijack

CVE-2026-23521 MEDIUM POC
6.5 Feb 23

Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by settin

CVE-2024-7746 CRITICAL
9.5 Aug 13

Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Auth

CVE-2020-5246 MEDIUM
6.5 Jul 14

Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. Rated medium severity (CVSS 6.5), thi

CVE-2021-21292 MEDIUM
6.3 Feb 02

Traccar is an open source GPS tracking system. Rated medium severity (CVSS 6.3), this vulnerability is no authentication

CVE-2026-27693 MEDIUM
5.4 May 05

XML injection in Traccar 6.11.1 through 6.12.x allows authenticated users with low privileges to inject malicious XML in

CVE-2026-27694 MEDIUM
5.4 May 05

Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject ma

CVE-2026-44314 MEDIUM
5.3 May 26

Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to ove

Share

EUVD-2026-27306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy