Description

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.

INFO

Published Date :

2026-05-05T12:17:07.898Z

Last Modified :

2026-05-06T12:43:31.211Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27693 vulnerability.

Vendors Products
Traccar
  • Traccar
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27693.

URL Resource
https://github.com/traccar/traccar/blob/v6.11.0/src/main/java/org/traccar/reports/GpxExportProvider.java#L52-L54 cve-icon cve-icon
https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656 cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact