In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks.
traccar server 4.2