XSS Vulnerability in Traccar Open-Source GPS Tracking System
CVE-2026-25648

8.7HIGH

Key Information:

Vendor: Traccar
Status: Traccar
Vendor: CVE Published:; 23 February 2026

What is CVE-2026-25648?

The Traccar open-source GPS tracking system, starting from version 6.11.1, is vulnerable to a Cross-Site Scripting (XSS) issue. Authenticated users can exploit this vulnerability by uploading harmful SVG files disguised as device images, which leads to the execution of arbitrary JavaScript in the browsers of other users. This can result in serious security risks, as the application fails to sanitize the SVG file uploads, serving them with the image/svg+xml Content-Type. Consequently, any embedded JavaScript within the SVG files can execute automatically when users view these images. As of now, it is uncertain if a patch has been implemented to address this vulnerability.

Affected Version(s)

traccar >= 6.11.1

References

https://github.com/traccar/traccar/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 23, 2026
Vulnerability Reserved
Feb 4, 2026

CVE-2026-25648 Data

JSON