VYPR
Medium severity5.4NVD Advisory· Published May 5, 2026· Updated May 8, 2026

CVE-2026-27694

CVE-2026-27694

Description

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Traccar/Traccar2 versions
    cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*range: >=6.11.1,<6.13.0
    • (no CPE)range: >=6.11.1, <6.13.0

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.