CVE-2026-27644

Source
https://cve.org/CVERecord?id=CVE-2026-27644
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27644.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-27644
Aliases
  • GHSA-745r-9qgj-x7m7
Published
2026-05-05T12:12:49.342Z
Modified
2026-07-08T08:06:58.340990101Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L CVSS Calculator
Summary
traccar allows CSV formula injection via exported position data
Details

Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27644.json",
    "cwe_ids": [
        "CWE-1236"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/traccar/traccar

Affected ranges

Type
GIT
Repo
https://github.com/traccar/traccar
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "6.11.1"
        },
        {
            "fixed": "6.13.0"
        }
    ]
}

Affected versions

v6.*
v6.11.1
v6.12.0
v6.12.1
v6.12.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27644.json"