Description
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.
Published: 2026-05-05
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traccar’s KML and GPX export features output device names straight into XML documents without proper escaping. A user who can create a device can supply a name that injects arbitrary XML markup. When another user later exports a KML or GPX file containing the injected XML, the output structure can be corrupted or the displayed location data can be spoofed. This weakness is a classic XML injection (CWE-91) and does not provide remote code execution, but it does allow data tampering and potential denial of service for GPS exports.

Affected Systems

The vulnerability exists in Traccar versions 6.11.1 through 6.12.x; users of the open‑source GPS tracking system who are running any of those builds are affected.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. No EPSS score is available, but the attacker only needs the ability to create a device and to export the file, both of which require authenticated access. The issue is not listed in CISA’s KEV catalog, and the attack vector is local rather than network exposed. Overall risk is moderate, and the resolution is to apply the available patch.

Generated by OpenCVE AI on May 5, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traccar to version 6.13.0 or later.
  • Restrict device‑creation privileges to trusted users until the update is applied.
  • Disable the KML/GPX export feature until a patched version is deployed.

Generated by OpenCVE AI on May 5, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Traccar
Traccar traccar
Vendors & Products Traccar
Traccar traccar

Tue, 05 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML content into exported files. If another user exports and opens the affected KML or GPX file, this can corrupt the file structure and spoof exported location data. This issue is fixed in version 6.13.0.
Title traccar allows XML injection in KML and GPX exports
Weaknesses CWE-91
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L'}

Subscriptions

Traccar Traccar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T12:17:34.300Z

Reserved: 2026-02-23T17:56:51.202Z

Link: CVE-2026-27693

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T13:16:28.367

Modified: 2026-05-05T13:16:28.367

Link: CVE-2026-27693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T13:30:25Z

Weaknesses