CVE-2026-25648

HIGH

Traccar 6.11.1+ - XSS

Title source: llm

Description

Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.

References (1)

[Vendor Advisory] https://github.com/traccar/traccar/security/advisories/GHSA-mc2g-mjqh-8x78

Scores

CVSS v3 8.7

EPSS 0.0004

EPSS Percentile 12.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-79 CWE-434

Status published

Products (1)

traccar/traccar 6.11.1

Published Feb 23, 2026

Tracked Since Feb 23, 2026