Medium severity5.4NVD Advisory· Published May 5, 2026· Updated May 8, 2026
CVE-2026-27693
CVE-2026-27693
Description
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3Patches
Vulnerability mechanics
References
2- github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656nvdExploitVendor AdvisoryMitigation
- github.com/traccar/traccar/blob/v6.11.0/src/main/java/org/traccar/reports/GpxExportProvider.javanvdProduct
News mentions
0No linked articles in our index yet.