Anton Tananaev

6 exploits Active since Jan 2019
CVE-2026-27644 WRITEUP MEDIUM WRITEUP
traccar allows CSV formula injection via exported position data
Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported fields. When a manager or administrator opens the exported CSV file in spreadsheet software, this can cause formula execution and lead to command execution or data exfiltration. This has been patched in version 6.13.0.
CVSS 6.5
CVE-2026-27693 WRITEUP MEDIUM WRITEUP
traccar allows XML injection in KML and GPX exports
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.
CVSS 5.4
CVE-2019-5748 WRITEUP CRITICAL WRITEUP
Traccar Server - XXE
In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks.
CVSS 9.8
CVE-2020-5246 WRITEUP HIGH WRITEUP
Traccar < 4.9 - Injection
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with LDAP configuration and where users can craft their own names. This has been patched in version 4.9.
CVSS 7.7
CVE-2021-21292 WRITEUP MEDIUM WRITEUP
Traccar <4.12 - Privilege Escalation
Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then attacker can lift their privilege to the same as Traccar service (system). This is fixed in version 4.12.
CVSS 5.5
CVE-2025-61666 WRITEUP HIGH WRITEUP
Traccar <6.8.1-6.0 - Local File Inclusion
Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if <entry key='web.override'>./override</entry> is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.