HIGH🇵🇱 Wersja polska

CVE-2026-25648

CVSS 8.7v3.1pub. 2026-02-23upd. 2026-02-26

Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
  • Traccar

    APP
    Traccar
    ≥ 6.11.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2024-7746CRITICAL9.5PL ✓ten sam produkt

Traccar Server – pominięcie uwierzytelnienia przez domyślne dane logowania

CVE-2024-31214CRITICAL9.6PL ✓ten sam produkt

Traccar: nieograniczony upload plików prowadzący do RCE

CVE-2026-25649HIGH7.3ten sam produkt

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which a...

CVE-2025-68930HIGH7.1ten sam produkt

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSoc...

CVE-2023-50729HIGH8.4ten sam produkt

Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file uplo...