CVE-2026-27644

Published: Mag 05, 2026 Last Modified: Mag 05, 2026

ExploitDB:

Other exploit source:

Google Dorks:

MEDIUM 6,5

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: required

Scope: changed

Confidentiality: low

Integrity: low

Availability: low

Description

AI Translation Available

Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.

1236

Improper Neutralization of Formula Elements in a CSV File

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality

Potential Impacts:

Read Application Data Execute Unauthorized Code Or Commands

Applicable Platforms

Technologies: Other

View CWE Details

https://github.com/traccar/traccar/blob/v6.11.1/src/main/ja…

https://github.com/traccar/traccar/blob/v6.11.1/src/main/java/org/traccar/repor…

https://github.com/traccar/traccar/security/advisories/GHSA…

https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7

CVE-2026-27644

Description

Improper Neutralization of Formula Elements in a CSV File

Common Consequences

Applicable Platforms

Iscriviti alla newsletter