VIR Vulnerability Intelligence Relay

CVE-2026-27644

medium
Published 2026-05-05 · Modified 2026-05-08
CVSS v3
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CVSS v2
VIR risk
6.5

Description

Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.

Predictions

Exploit likelihood
75%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7

Application impact
VendorProductVersionsFixed
traccartraccar{"startIncluding":"6.11.1","endExcluding":"6.13.0"}6.13.0

References

CWEs

CWE-1236

Verify integrity in audit chain (admin only). AS-IS.