Traccar
CVE-2026-25648
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the image/svg+xml Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.
AnalysisAI
Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by uploading unsanitized SVG files as device images, exploiting improper Content-Type handling. Public exploit code exists for this reflected cross-site scripting vulnerability, which could enable session hijacking or credential theft with no patch currently available.
Technical ContextAI
Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Traccar. Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the image/svg+xml Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available
RemediationAI
Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.
Traccar is an open source GPS tracking system. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploi
Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes th
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijack
Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by settin
Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Auth
Traccar versions 6.11.1 through 6.13.0 fail to escape user-controlled device and computed attributes in CSV export funct
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. Rated medium severity (CVSS 6.5), thi
Traccar is an open source GPS tracking system. Rated medium severity (CVSS 6.3), this vulnerability is no authentication
XML injection in Traccar 6.11.1 through 6.12.x allows authenticated users with low privileges to inject malicious XML in
Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject ma
Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to ove
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today