Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.
AnalysisAI
XML injection in Traccar 6.11.1 through 6.12.x allows authenticated users with low privileges to inject malicious XML into KML and GPX export files by crafting device names, corrupting file structure and spoofing location data when other users open exported files. Vendor-released patch: version 6.13.0.
Technical ContextAI
Traccar's KML and GPX export functionality (GpxExportProvider and related XML serialization components) concatenates device names directly into XML output without proper entity encoding or sanitization. The vulnerability is rooted in CWE-91 (XML Injection), where untrusted user input (device names) flows directly into XML generation without escaping special characters such as <, >, &, and quotes. An attacker with low-privilege account access can create or rename a device with a name containing XML syntax (e.g., '</marker><marker lat="0" lng="0">' or external entity references), which becomes embedded in the exported XML file. When a different user opens the corrupted XML in an application expecting valid KML/GPX structure, the injected XML is parsed as legitimate content, corrupting the document tree and potentially spoofing GPS coordinates or other location attributes.
RemediationAI
Upgrade Traccar to version 6.13.0 or later immediately. No workarounds are available short of disabling KML and GPX export functionality entirely (e.g., removing the export endpoints or user permissions). If immediate upgrade is not possible, restrict device creation and naming permissions to trusted administrators only, reducing the attack surface to internal threats. However, this does not prevent existing malicious device names from being exported. Verify exported KML/GPX files with XML validators before opening them in production systems. Reference: GitHub Security Advisory at https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656.
Traccar is an open source GPS tracking system. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploi
Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by
Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes th
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijack
Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by settin
Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Auth
Traccar versions 6.11.1 through 6.13.0 fail to escape user-controlled device and computed attributes in CSV export funct
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. Rated medium severity (CVSS 6.5), thi
Traccar is an open source GPS tracking system. Rated medium severity (CVSS 6.3), this vulnerability is no authentication
Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject ma
Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to ove
Same weakness CWE-91 – XML Injection (aka Blind XPath Injection)
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27307