CVE-2026-27694

Name of the Vulnerable Software and Affected Versions org.traccar:traccar versions 6.11.1 through 6.12.x

Description Email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. A low-privileged attacker can store crafted HTML in these fields, which is then rendered in notification emails sent to other users who have access to the affected devices. This can result in phishing or spoofed email content.

Recommendations Update to version 6.13.0.