CVE-2026-27694 MEDIUM

CVE-2026-27694: traccar allows stored HTML injection in notification emails

Vendor Traccar
Product traccar
Weakness CWE-79 · XSS
Published May 5, 2026
Last update May 5, 2026

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0.

Key dates

02Disclosure timeline

May 5, 2026 CVE published
May 5, 2026 Record updated