Executive Summary

CVE-2026-27694 is a stored HTML injection vulnerability in the Traccar GPS tracking system's email notification feature. In affected versions (6.11.1 up to before 6.13.0), user-controlled fields such as device names, geofence names, and driver names are inserted into HTML email templates without proper escaping or sanitization.

An attacker with low privileges can inject malicious HTML code into these fields, which then gets rendered in notification emails sent to other users who have access to the affected devices. This can enable phishing attacks or spoofed email content.

The vulnerability arises because the email templates use Velocity template files that do not escape user input, allowing crafted HTML payloads like phishing links, fake login forms, or tracking pixels to be executed in the victim's email client.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to several security impacts including phishing attacks, spoofed email content, and potential credential theft.

• Attackers can inject malicious HTML that appears in notification emails, tricking users into clicking phishing links or submitting sensitive information.
• It can enable session hijacking or unauthorized data access if users are deceived by the spoofed content.
• Because the attack vector is network-based and requires only low privileges, it poses a medium severity risk (CVSS 5.4).

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if your Traccar system is running a vulnerable version (6.11.1 up to before 6.13.0) and checking for any device, geofence, or driver names containing suspicious or crafted HTML content.

You can inspect the database or configuration where device, geofence, and driver names are stored to find any entries with embedded HTML tags or scripts.

Since the vulnerability involves stored HTML injection, searching for HTML tags in these fields can help detect exploitation attempts.

• Example command to search for HTML tags in device names (assuming a SQL database):
• SELECT * FROM devices WHERE name LIKE '%<%';
• Similarly, check geofence and driver name tables for entries containing '<' characters.

Additionally, monitor email notifications sent by the system for suspicious HTML content or unexpected links that could indicate exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Traccar system to version 6.13.0 or later, where this vulnerability is fixed.

Until the upgrade can be performed, consider disabling email notifications to prevent malicious HTML content from being sent to users.

Review and sanitize existing device, geofence, and driver names to remove any embedded HTML or suspicious content.

Implement input validation and restrict user input in these fields to prevent insertion of HTML or script content.

Consider switching email notifications to plain text format if possible, to avoid rendering of HTML content.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to inject malicious HTML into email notifications, potentially leading to phishing attacks, credential theft, session hijacking, and unauthorized data access.

Such unauthorized access and data breaches can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring secure communication.

Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing user data and credentials through spoofed or malicious email content.

Useful 0 Not Useful 0