HIGH🇬🇧 English

CVE-2026-25648

CVSS 8.7v3.1pub. 2026-02-23upd. 2026-02-26

Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
  • Traccar

    APP
    Traccar
    ≥ 6.11.1
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
Tagi
XSS
CWE
Referencje

Powiązane podatności

CVE-2024-7746CRITICAL9.5PL ✓ten sam produkt

Traccar Server – pominięcie uwierzytelnienia przez domyślne dane logowania

CVE-2024-31214CRITICAL9.6PL ✓ten sam produkt

Traccar: nieograniczony upload plików prowadzący do RCE

CVE-2026-25649HIGH7.3ten sam produkt

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which a...

CVE-2025-68930HIGH7.1ten sam produkt

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSoc...

CVE-2023-50729HIGH8.4ten sam produkt

Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file uplo...

CVE-2026-25648 — HIGH 8.7 | CVEbaza.pl