CVE-2026-27693

Name of the Vulnerable Software and Affected Versions org.traccar:traccar versions 6.11.1 through 6.12.x

Description The KML and GPX export functionality writes device names to XML output without proper escaping. A low-privileged attacker can create a device with a crafted name to inject XML content into exported files. When another user exports and opens the affected file, it can lead to corruption of the file structure and spoofing of exported location data.

Recommendations Update to version 6.13.0.