CVE-2026-27694— traccar allows stored HTML injection in notification emails
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-27694
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
traccar allows stored HTML injection in notification emails
Source: NVD (National Vulnerability Database)
Vulnerability Description
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Traccar 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Traccar是美国Traccar公司的一个基于Java的可提供GPS跟踪功能的建站系统。该软件支持170多种GPS协议和1500多种型号的GPS跟踪设备。Traccar可以与任何主要的SQL数据库系统一起使用。它还提供了易于使用的REST API。 Traccar 6.11.1版本至6.13.0之前版本存在跨站脚本漏洞,该漏洞源于电子邮件通知模板未正确转义用户控制的设备、地理围栏和驱动程序名称,可能导致低权限攻击者存储特制HTML内容,在发送给其他用户的电子邮件中渲染,可能导致钓鱼或伪造电子邮件内容。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-27694
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-27694
请登录查看更多情报信息。
Same Patch Batch · traccar · 2026-05-05 · 3 CVEs total
| CVE-2026-27644 | 6.5 MEDIUM | traccar allows CSV formula injection via exported position data |
| CVE-2026-27693 | 5.4 MEDIUM | traccar allows XML injection in KML and GPX exports |
IV. Related Vulnerabilities
Same product: traccar
- CVE-2026-27693
traccar allows XML injection in KML and GPX exports - CVE-2026-27644
traccar allows CSV formula injection via exported position d - CVE-2026-25649
Traccar Vulnerable to Authorization Code Theft via Open Redi - CVE-2026-25648
Traccar Vulnerable to Stored Cross-Site Scripting (XSS) via - CVE-2026-23521
Traccar vulnerable to Path Traversal and External Control of
Same vendor: traccar
- CVE-2026-27693
traccar allows XML injection in KML and GPX exports - CVE-2026-27644
traccar allows CSV formula injection via exported position d - CVE-2026-25649
Traccar Vulnerable to Authorization Code Theft via Open Redi - CVE-2026-25648
Traccar Vulnerable to Stored Cross-Site Scripting (XSS) via - CVE-2026-23521
Traccar vulnerable to Path Traversal and External Control of
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2026-27694
No comments yet