CVE-2026-27693
MEDIUMtraccar allows XML injection in KML and GPX exports
Title source: cnaDescription
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/traccar/traccar/security/advisories/GHSA-32pj-vrqc-x656
X_Refsource_Misc x_refsource_misc
https://github.com/traccar/traccar/blob/v6.11.0/src/main/java/org/traccar/reports/GpxExportProvider.java#L52-L54
Scores
CVSS v3
5.4
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L
Details
CWE
CWE-91
Status
published
Products (1)
traccar/traccar
>= 6.11.1, < 6.13.0
Published
May 05, 2026
Tracked Since
May 05, 2026