Skip to main content

Traccar EUVDEUVD-2026-27307

| CVE-2026-27693 MEDIUM
XML Injection (aka Blind XPath Injection) (CWE-91)
2026-05-05 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Patch available
May 05, 2026 - 14:01 EUVD
Analysis Generated
May 05, 2026 - 13:30 vuln.today

DescriptionGitHub Advisory

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.

AnalysisAI

XML injection in Traccar 6.11.1 through 6.12.x allows authenticated users with low privileges to inject malicious XML into KML and GPX export files by crafting device names, corrupting file structure and spoofing location data when other users open exported files. Vendor-released patch: version 6.13.0.

Technical ContextAI

Traccar's KML and GPX export functionality (GpxExportProvider and related XML serialization components) concatenates device names directly into XML output without proper entity encoding or sanitization. The vulnerability is rooted in CWE-91 (XML Injection), where untrusted user input (device names) flows directly into XML generation without escaping special characters such as <, >, &, and quotes. An attacker with low-privilege account access can create or rename a device with a name containing XML syntax (e.g., '</marker><marker lat="0" lng="0">' or external entity references), which becomes embedded in the exported XML file. When a different user opens the corrupted XML in an application expecting valid KML/GPX structure, the injected XML is parsed as legitimate content, corrupting the document tree and potentially spoofing GPS coordinates or other location attributes.

RemediationAI

Upgrade Traccar to version 6.13.0 or later immediately. No workarounds are available short of disabling KML and GPX export functionality entirely (e.g., removing the export endpoints or user permissions). If immediate upgrade is not possible, restrict device creation and naming permissions to trusted administrators only, reducing the attack surface to internal threats. However, this does not prevent existing malicious device names from being exported. Verify exported KML/GPX files with XML validators before opening them in production systems. Reference: GitHub Security Advisory at https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656.

CVE-2024-31214 CRITICAL POC
9.6 Apr 10

Traccar is an open source GPS tracking system. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploi

CVE-2026-25648 HIGH POC
8.7 Feb 23

Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by

CVE-2026-25649 HIGH POC
7.3 Feb 23

Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes th

CVE-2025-68930 HIGH POC
7.1 Feb 23

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijack

CVE-2026-23521 MEDIUM POC
6.5 Feb 23

Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by settin

CVE-2024-7746 CRITICAL
9.5 Aug 13

Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Auth

CVE-2026-27644 MEDIUM
6.5 May 05

Traccar versions 6.11.1 through 6.13.0 fail to escape user-controlled device and computed attributes in CSV export funct

CVE-2020-5246 MEDIUM
6.5 Jul 14

Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. Rated medium severity (CVSS 6.5), thi

CVE-2021-21292 MEDIUM
6.3 Feb 02

Traccar is an open source GPS tracking system. Rated medium severity (CVSS 6.3), this vulnerability is no authentication

CVE-2026-27694 MEDIUM
5.4 May 05

Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject ma

CVE-2026-44314 MEDIUM
5.3 May 26

Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to ove

Share

EUVD-2026-27307 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy