Medium severity5.4NVD Advisory· Published May 5, 2026· Updated May 8, 2026

CVE-2026-27693

Description

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.

Affected products

Traccar/Traccarreferences2 versions
(expand)+ 1 more
- (no CPE)
- cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*range: >=6.11.1,<6.13.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656nvdExploitVendor AdvisoryMitigation
github.com/traccar/traccar/blob/v6.11.0/src/main/java/org/traccar/reports/GpxExportProvider.javanvdProduct

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000