CVE-2026-27693— traccar allows XML injection in KML and GPX exports

traccar allows XML injection in KML and GPX exports

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

XML注入(XPath盲注)

Traccar 安全漏洞

Traccar是美国Traccar公司的一个基于Java的可提供GPS跟踪功能的建站系统。该软件支持170多种GPS协议和1500多种型号的GPS跟踪设备。Traccar可以与任何主要的SQL数据库系统一起使用。它还提供了易于使用的REST API。 Traccar 6.11.1版本至6.13.0之前版本存在安全漏洞，该漏洞源于KML和GPX导出功能未正确转义设备名称，可能导致低权限攻击者创建带有特制名称的设备注入XML内容，当其他用户导出并打开受影响的KML或GPX文件时可能破坏文件结构并伪造导出的位置

N/A

N/A