CVE-2026-25648

Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.

CVSS v3 8.7 HIGH

8.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/traccar/traccar/security/advisories/GHSA-mc2g-mjqh-8x78	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-23 21:19

Updated : 2026-02-26 16:25

NVD link : CVE-2026-25648

Mitre link : CVE-2026-25648

CVE.ORG link : CVE-2026-25648

JSON object : View

Products Affected

traccar

traccar

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-434

Unrestricted Upload of File with Dangerous Type

{"id": "CVE-2026-25648", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.3}]}, "published": "2026-02-23T21:19:10.690", "references": [{"url": "https://github.com/traccar/traccar/security/advisories/GHSA-mc2g-mjqh-8x78", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-434"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available."}, {"lang": "es", "value": "Versiones del sistema de seguimiento GPS de c\u00f3digo abierto Traccar a partir de la 6.11.1 contienen un problema en el que usuarios autenticados pueden ejecutar JavaScript arbitrario en el contexto de los navegadores de otros usuarios al subir archivos SVG maliciosos como im\u00e1genes de dispositivo. La aplicaci\u00f3n acepta subidas de archivos SVG sin sanitizaci\u00f3n y los sirve con el Content-Type 'image/svg+xml', permitiendo que el JavaScript incrustado se ejecute cuando las v\u00edctimas ven la imagen. En el momento de la publicaci\u00f3n, no est\u00e1 claro si hay una soluci\u00f3n disponible."}], "lastModified": "2026-02-26T16:25:24.867", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7A82295B-76FF-4917-A101-0DC8A2CC2612", "versionStartIncluding": "6.11.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}