CVE-2026-27694

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the email notification template system. An attacker can inject arbitrary HTML content by supplying crafted values in device, geofence, or driver name fields, which are then rendered in notification emails se...

CVE-2026-27694

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store...

CVE-2026-27694 traccar allows stored HTML injection in notification emails

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store...

CVE-2026-27694

Traccar (org.traccar:traccar) versions 6.11.1–6.12.x are vulnerable to stored HTML injection in email notification templates. User-controlled device, geofence, and driver names are inserted into HTML output without proper escaping, allowing an attacker with low privileges to store crafted HTML th...

CVE-2026-27694

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store...

A week in security (March 2 – March 8)

Last week on Malwarebytes Labs: One click on this fake Google Meet update can give attackers control of your PC Beware of fake OpenClaw installers, even if Bing points you to GitHub Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets Windows File Shredder: When deleting a file...

Supreme Court to decide whether geofence warrants are constitutional

Google has weighed in on a court case that will decide the future of a powerful but contentious tool for law enforcement. The company submitted an opinion to the US Supreme Court arguing that geofence warrants are unconstitutional. A geofence warrant is a form of "reverse warrant" that turns a...

The Constitutionality of Geofence Warrants

The US Supreme Court is considering the constitutionality of geofence warrants. The case centers on the trial of Okello Chatrie, a Virginia man who pleaded guilty to a 2019 robbery outside of Richmond and was sentenced to almost 12 years in prison for stealing $195,000 at gunpoint. Police probing...

EUVD-2023-25637

Malicious code in bioql PyPI...

CVE-2023-21469

Improper access control vulnerability in SLocation prior to SMR Apr-2022 Release 1 allows local attackers to get device location information using com.samsung.android.wifi.GEOFENCE action...

CVE-2023-21469

Improper access control vulnerability in SLocation prior to SMR Apr-2022 Release 1 allows local attackers to get device location information using com.samsung.android.wifi.GEOFENCE action...

CVE-2023-21469

Improper access control vulnerability in SLocation prior to SMR Apr-2022 Release 1 allows local attackers to get device location information using com.samsung.android.wifi.GEOFENCE action...

CVE-2023-21469

Improper access control vulnerability in SLocation prior to SMR Apr-2022 Release 1 allows local attackers to get device location information using com.samsung.android.wifi.GEOFENCE action...

CVE-2023-21469

CVE-2023-21469 describes an improper access control vulnerability in SLocation prior to SMR Apr-2022 Release 1. Local attackers can obtain device location information by invoking the com.samsung.android.wifi.GEOFENCE action. Root cause: improper access control. Impact (as stated): potential discl...

CVE-2023-21469

Improper access control vulnerability in SLocation prior to SMR Apr-2022 Release 1 allows local attackers to get device location information using com.samsung.android.wifi.GEOFENCE action...

SAMSUNG Mobile devices 安全漏洞

SAMSUNG Mobile devices are a range of Samsung mobile devices, including cell phones, tablets, etc., from the South Korean company Samsung SAMSUNG. A security vulnerability exists in SAMSUNG Mobile devices versions prior to SMR Apr-2022 Release 1, which stems from improper access control and could...

PT-2025-35662

Name of the Vulnerable Software and Affected Versions: SLocation versions prior to SMR Apr-2022 Release 1 Description: An improper access control issue exists in SLocation. Local attackers can obtain device location information by leveraging the com.samsung.android.wifi.GEOFENCE action...

CVE-2024-30800

PX4 Autopilot v.1.14 allows an attacker to fly the drone into no-fly zones by breaching the geofence using flaws in the function...

CVE-2024-24254

PX4 Autopilot 1.14 and earlier, due to the lack of synchronization mechanism for loading geofence data, has a Race Condition vulnerability in the geofence.cpp and missionfeasibilitychecker.cpp. This will result in the drone uploading overlapping geofences and mission routes...