CVE-2026-27694 Overview
CVE-2026-27694 is a stored Cross-Site Scripting (XSS) vulnerability in Traccar, an open source GPS tracking system. The flaw affects org.traccar:traccar versions starting at 6.11.1 and prior to 6.13.0. Email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store crafted HTML in these fields. The malicious markup is then rendered in notification emails sent to other users with access to the affected devices. The issue is fixed in version 6.13.0.
Critical Impact
Authenticated low-privilege attackers can inject HTML into outbound email notifications, enabling phishing and spoofed content targeting other Traccar users.
Affected Products
- Traccar org.traccar:traccar version 6.11.1
- Traccar org.traccar:traccar versions 6.11.x through 6.12.x
- Traccar org.traccar:traccar versions prior to 6.13.0
Discovery Timeline
- 2026-05-05 - CVE-2026-27694 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-27694
Vulnerability Analysis
The vulnerability is classified as Cross-Site Scripting [CWE-79]. Traccar generates email notifications using HTML templates that interpolate object metadata such as device names, geofence names, and driver names. These values are stored as supplied by users with permission to create or edit those entities. The notification renderer concatenates the values directly into the HTML body without applying contextual output encoding. As a result, any HTML or scripting markup placed in those fields is delivered verbatim to the recipient's mail client.
Because the rendering target is an email message rather than a browser session, exploitation typically focuses on visual spoofing rather than active script execution. Many modern mail clients strip <script> tags but still render hyperlinks, images, styled blocks, and inline content. An attacker can craft a device name that renders as a fake security notice, login prompt, or branded message inside legitimate Traccar notification mail.
Root Cause
The root cause is missing HTML output encoding in the email notification template engine. Trusted-looking fields such as device, geofence, and driver names are treated as safe strings during template interpolation. No escaping function converts characters such as <, >, ", or & into their HTML entity equivalents before they reach the message body.
Attack Vector
Exploitation requires network access to the Traccar instance, an authenticated low-privilege account, and user interaction by a recipient who opens or previews the resulting email. The attacker creates or renames a device, geofence, or driver to include crafted HTML. When any event triggers a notification referencing that entity, the server emails the rendered HTML to other users sharing access to the resource. The scope is changed because content authored within the Traccar application reaches the recipient's mail client environment.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-6hfr-mj4m-hrvv.
Detection Methods for CVE-2026-27694
Indicators of Compromise
- Device, geofence, or driver records whose names contain HTML tags, angle brackets, anchor elements, or inline event handlers such as onerror or onclick.
- Outbound notification emails from Traccar containing unexpected hyperlinks, images, or styled content not present in standard templates.
- User reports of phishing emails that appear to originate from the Traccar notification address.
Detection Strategies
- Query the Traccar database for entity names matching patterns such as %<%, %javascript:%, or %href=% to surface suspicious values.
- Inspect outgoing SMTP traffic or mail relay logs for notification messages whose HTML body length deviates significantly from the template baseline.
- Review audit logs for low-privilege accounts performing repeated rename operations on devices, geofences, or drivers.
Monitoring Recommendations
- Enable verbose logging of entity create and update events in Traccar and forward them to a centralized log platform.
- Alert on notification email payloads that contain HTML tags inside attribute values originating from user-controlled fields.
- Track newly created or recently modified accounts that perform metadata edits shortly after registration.
How to Mitigate CVE-2026-27694
Immediate Actions Required
- Upgrade Traccar to version 6.13.0 or later, which applies HTML escaping to template fields.
- Audit existing device, geofence, and driver names for embedded HTML and sanitize any malicious entries.
- Restrict the ability to create or rename tracked entities to trusted operator roles until patching is complete.
Patch Information
The maintainers fixed the issue in Traccar 6.13.0. The patch introduces output encoding so that user-controlled entity names are converted to safe HTML entities before being inserted into notification templates. Release details are available in the Traccar GitHub Security Advisory.
Workarounds
- Temporarily disable email notifications referencing user-named entities until the upgrade is applied.
- Apply input validation at the application boundary to reject device, geofence, and driver names containing <, >, or quote characters.
- Configure the mail gateway to strip HTML from messages originating from the Traccar notification sender, delivering plain-text only.
# Example: identify suspicious entity names in the Traccar database
psql -U traccar -d traccar -c \
"SELECT id, name FROM tc_devices WHERE name ~ '[<>]|javascript:|on[a-z]+=';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
