CVE-2026-27694
traccar allows stored HTML injection in notification emails
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0.
| CWE | CWE-79 |
| Vendor | traccar |
| Product | traccar |
| Published | May 5, 2026 |
Stay Ahead of the Next One
Get instant alerts for traccar traccar
Be the first to know when new medium vulnerabilities affecting traccar traccar are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
traccar / traccar
>= 6.11.1, < 6.13.0