Description
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0.
Published: 2026-05-05
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Traccar, an open source GPS tracking system, has an issue where email notification templates embed unescaped user‑controlled data such as device, geofence, and driver names into HTML output. Attackers with low privileges can insert crafted HTML into these fields. When notification emails are generated for other users who can access the affected devices, the malicious HTML is rendered in the email body. This flaw aligns with CWE‑79: Improper Neutralization of Input During Web Page Generation.

Affected Systems

The vulnerability affects Traccar versions starting at 6.11.1 through 6.12.x; the fix is included in version 6.13.0 and later.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score is not available. The flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would exploit the web interface or API to inject malicious HTML into device or driver name fields, which is then sent out in normal notification emails to users with access rights. The impact is primarily phishing or spoofed content delivered via email, affecting confidentiality and user trust rather than direct system compromise.

Generated by OpenCVE AI on May 5, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Traccar to version 6.13.0 or newer to apply the input sanitization fix.
  • If an upgrade cannot be performed immediately, manually remove any HTML tags from the device, geofence, and driver name fields before saving.
  • Restrict or disable email notifications for users who do not require them to reduce exposure to malicious content.

Generated by OpenCVE AI on May 5, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Traccar
Traccar traccar
Vendors & Products Traccar
Traccar traccar

Tue, 05 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields, which is then rendered in notification emails sent to other users with access to the affected devices. This can lead to phishing or spoofed email content. This issue is fixed in version 6.13.0.
Title traccar allows stored HTML injection in notification emails
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Traccar Traccar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T14:12:04.800Z

Reserved: 2026-02-23T17:56:51.202Z

Link: CVE-2026-27694

cve-icon Vulnrichment

Updated: 2026-05-05T13:59:18.106Z

cve-icon NVD

Status : Received

Published: 2026-05-05T13:16:28.513

Modified: 2026-05-05T16:16:10.797

Link: CVE-2026-27694

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T13:30:25Z

Weaknesses