CVE-2026-27644

Name of the Vulnerable Software and Affected Versions Traccar versions 6.11.1 through 6.12.x

Description The CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. This allows an attacker to inject spreadsheet formulas through exported fields. If a manager or administrator opens the resulting CSV file in spreadsheet software, it can trigger formula execution, potentially leading to command execution or data exfiltration.

Recommendations Update to version 6.13.0.