CVE-2026-25648
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
3Tags
Description
Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.
Analysis
Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by uploading unsanitized SVG files as device images, exploiting improper Content-Type handling. Public exploit code exists for this reflected cross-site scripting vulnerability, which could enable session hijacking or credential theft with no patch currently available.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Traccar instances in use and document affected versions; restrict file upload capabilities to trusted administrators only. Within 7 days: Implement input validation and content-type restrictions on SVG uploads; conduct access review of who has device image upload permissions. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today