CVE-2026-27694
Last modified
CVE-2026-27694 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. EPSS estimates a 0.16% chance of exploitation in the next 30 days.
Description
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Traccar | Traccar | >= 6.11.1, < 6.13.0 |
References
- https://github.com/traccar/traccar/security/advisories/GHSA-6hfr-mj4m-hrvvExploit, Mitigation, Vendor Advisory
- https://github.com/traccar/traccar/security/advisories/GHSA-6hfr-mj4m-hrvvExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-27694?
How severe is CVE-2026-27694?
How do I fix CVE-2026-27694?
Are you affected by CVE-2026-27694?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST