Medium severity5.4NVD Advisory· Published May 5, 2026· Updated May 8, 2026
CVE-2026-27694
CVE-2026-27694
Description
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1- github.com/traccar/traccar/security/advisories/GHSA-6hfr-mj4m-hrvvnvdExploitVendor AdvisoryMitigation
News mentions
0No linked articles in our index yet.