Skip to main content

Traccar CVE-2026-25648

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-02-23 security-advisories@github.com
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
PoC Detected
Feb 26, 2026 - 16:25 vuln.today
Public exploit code
CVE Published
Feb 23, 2026 - 21:19 nvd
HIGH 8.7

DescriptionGitHub Advisory

Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the image/svg+xml Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.

AnalysisAI

Traccar versions 6.11.1 and later allow authenticated users to inject malicious JavaScript into other users' browsers by uploading unsanitized SVG files as device images, exploiting improper Content-Type handling. Public exploit code exists for this reflected cross-site scripting vulnerability, which could enable session hijacking or credential theft with no patch currently available.

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Traccar. Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the image/svg+xml Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available

RemediationAI

Monitor vendor advisories for a patch. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

CVE-2024-31214 CRITICAL POC
9.6 Apr 10

Traccar is an open source GPS tracking system. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploi

CVE-2026-25649 HIGH POC
7.3 Feb 23

Traccar GPS tracking system through version 6.11.1 allows authenticated users to hijack OAuth 2.0 authorization codes th

CVE-2025-68930 HIGH POC
7.1 Feb 23

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijack

CVE-2026-23521 MEDIUM POC
6.5 Feb 23

Traccar GPS tracking system through version 6.11.1 allows authenticated users to conduct arbitrary file writes by settin

CVE-2024-7746 CRITICAL
9.5 Aug 13

Use of Default Credentials vulnerability in Tananaev Solutions Traccar Server on Administrator Panel modules allows Auth

CVE-2026-27644 MEDIUM
6.5 May 05

Traccar versions 6.11.1 through 6.13.0 fail to escape user-controlled device and computed attributes in CSV export funct

CVE-2020-5246 MEDIUM
6.5 Jul 14

Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. Rated medium severity (CVSS 6.5), thi

CVE-2021-21292 MEDIUM
6.3 Feb 02

Traccar is an open source GPS tracking system. Rated medium severity (CVSS 6.3), this vulnerability is no authentication

CVE-2026-27693 MEDIUM
5.4 May 05

XML injection in Traccar 6.11.1 through 6.12.x allows authenticated users with low privileges to inject malicious XML in

CVE-2026-27694 MEDIUM
5.4 May 05

Stored cross-site scripting (XSS) in Traccar 6.11.1 through 6.12.x allows low-privilege authenticated users to inject ma

CVE-2026-44314 MEDIUM
5.3 May 26

Incorrect authorization in Traccar's DeviceResource.uploadImage endpoint allows authenticated low-privilege users to ove

Share

CVE-2026-25648 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy