CVE-2026-27644 in Traccarinformation

Résumé

par MITRE • 05/05/2026

Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsable

GitHub M

Réserver

20/02/2026

Divulgation

05/05/2026

Modérer

accepté

Entrée

VDB-361177

CPE

prêt

CWE

CWE-1236 (confirmé)

CVSS

6.5 (CNA)

EPSS

0.00043

KEV

non

Activités

très faible

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-27644
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-27644
CVE Details	https://www.cvedetails.com/cve/CVE-2026-27644/

◂ Précédent Aperçu Suivant ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!