Skip to main content

Traccar Client

1 CVEs product

Monthly

CVE-2026-48745 CRITICAL Act Now

Silent configuration hijack in Traccar Client GPS tracking app (versions 9.7.19 and below) allows remote attackers to redirect victim telemetry to attacker-controlled servers via a single crafted org.traccar.client://config deep link. The app accepts deep-link parameters (server URL, device ID, accuracy, distance, interval) and writes them to persistent configuration with no user confirmation, enabling continuous covert location tracking. No public exploit identified at time of analysis, but the upstream commit confirms a confirmation dialog was added in 9.7.20 as the fix.

Information Disclosure Traccar Client
NVD GitHub
CVSS 3.1
9.3
EPSS
0.4%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Silent configuration hijack in Traccar Client GPS tracking app (versions 9.7.19 and below) allows remote attackers to redirect victim telemetry to attacker-controlled servers via a single crafted org.traccar.client://config deep link. The app accepts deep-link parameters (server URL, device ID, accuracy, distance, interval) and writes them to persistent configuration with no user confirmation, enabling continuous covert location tracking. No public exploit identified at time of analysis, but the upstream commit confirms a confirmation dialog was added in 9.7.20 as the fix.

Information Disclosure Traccar Client
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy