What is the CVSS score of CVE-2025-61666?

CVE-2025-61666 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N. EPSS exploitation probability: 1.0%.

Which versions of Windows are affected by CVE-2025-61666?

Traccar GPS tracking systems versions 6.1-6.8.1 (and 5.8-6.0 with non-default configuration) are vulnerable to unauthenticated local file inclusion attacks that expose sensitive files including…. A patch is available.

Is there a public PoC exploit available for CVE-2025-61666?

Yes, a public proof-of-concept exploit is available for CVE-2025-61666. Prioritise patching immediately. EPSS: 1.0%.

How to fix or mitigate CVE-2025-61666?

Within 24 hours: identify all Traccar installations and document versions currently deployed. Within 7 days: upgrade Windows-based Traccar instances to version 6.9.0 or later; for versions 5.8-6.0, disable the ./override configuration setting if present. Within 30 days: complete upgrade of all remaining affected instances and conduct credential rotation for any systems running vulnerable versions.

Windows CVE-2025-61666

EUVD-2025-33211 HIGH

Path Traversal (CWE-22)

2025-10-02 security-advisories@github.com

Path Traversal Windows

8.7

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:26 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

6.9.0

EUVD ID Assigned

Mar 13, 2026 - 19:12 euvd

EUVD-2025-33211

Analysis Generated

Mar 13, 2026 - 19:12 vuln.today

CVE Published

Oct 02, 2025 - 22:15 nvd

HIGH 8.7

DescriptionGitHub Advisory

Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file system including the Traccar configuration file. Versions 5.8 - 6.0 are only vulnerable if <entry key='web.override'>./override</entry> is set in the configuration file. Versions 6.1 - 6.8.1 are vulnerable by default as the web override is enabled by default. The vulnerable code is removed in version 6.9.0.

Analysis

Technical ContextAI

Path traversal allows an attacker to access files outside the intended directory by manipulating file paths with sequences like '../'.

RemediationAI

Validate and sanitize file path inputs. Use a whitelist of allowed files or directories. Implement chroot jails or containerization.

More from same product – last 7 days

CVE-2026-12440 CRITICAL Act Now

9.6 Jun 17

Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to po

CVE-2026-12437 HIGH This Week

8.3 Jun 17

Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had comprom

CVE-2026-12449 HIGH This Week

7.8 Jun 17

Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-

CVE-2026-12461 MEDIUM This Month

6.5 Jun 17

Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain pot

CVE-2026-12444 MEDIUM This Month

5.5 Jun 17

Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain

CVE-2025-61666 vulnerability details – vuln.today

Back