CVE-2025-68930

HIGH

Traccar <=6.11.1 - CSWSH

Title source: llm

Description

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a remote attacker to bypass the Same Origin Policy (SOP) and establish a full-duplex WebSocket connection using a legitimate user's credentials (JSESSIONID). As of time of publication, it is unclear whether a fix is available.

Exploits (2)

exploitdb WORKING POC

by hazar · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52545

View Code ZIP pw:eip

nomisec WRITEUP

by kaleth4 · poc

https://github.com/kaleth4/CVE-2025-68930

View Code ZIP pw:eip

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/traccar/traccar/security/advisories/GHSA-69x6-wcx2-vghp

Scores

CVSS v3 7.1

EPSS 0.0011

EPSS Percentile 29.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-1385

Status published

Products (1)

traccar/traccar < 6.11.1

Published Feb 23, 2026

Tracked Since Feb 23, 2026