Description
Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.
Published: 2026-02-23
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Assess and Mitigate
AI Analysis

Impact

Traccar allows authenticated users to upload SVG files that the system serves as image/svg+xml without sanitizing. The malicious SVG can embed JavaScript that executes when another user views the image, leading to arbitrary client‑side code execution in the victim’s browser. This stored XSS flaw is classified as CWE‑79 and CWE‑434.

Affected Systems

Open‑source Traccar GPS tracking instances that are version 6.11.1 and newer are impacted if a fix has not yet been applied. Earlier releases prior to 6.11.1 are not affected, and versions that have received a patch are no longer vulnerable.

Risk and Exploitability

The flaw scores a high CVSS of 8.7, yet the EPSS of less than 1% suggests a low field exploitation probability. It is not listed in CISA’s KEV catalog, indicating no public exploit is known. Because the vulnerability requires authenticated file upload and a victim’s interaction with the image, it mainly poses an internal risk for organizations that allow shared dashboards.

Generated by OpenCVE AI on April 18, 2026 at 17:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Reconfigure Traccar to reject SVG uploads entirely or enforce a safe image type whitelist.
  • Delete any existing SVG images that might contain malicious JavaScript from the upload directory.
  • Check the Traccar project’s release notes and download page to determine whether a patched version is available, and if so, schedule an upgrade.
  • Apply a strict Content Security Policy that blocks inline script execution from image resources.

Generated by OpenCVE AI on April 18, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Traccar
Traccar traccar
Vendors & Products Traccar
Traccar traccar

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.
Title Traccar Vulnerable to Stored Cross-Site Scripting (XSS) via Malicious SVG File Upload
Weaknesses CWE-434
CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Traccar Traccar
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T15:17:46.508Z

Reserved: 2026-02-04T05:15:41.792Z

Link: CVE-2026-25648

cve-icon Vulnrichment

Updated: 2026-02-25T15:17:37.288Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T21:19:10.690

Modified: 2026-02-26T16:25:24.867

Link: CVE-2026-25648

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:00:06Z

Weaknesses