CVE-2026-25648

Traccar Vulnerable to Stored Cross-Site Scripting (XSS) via Malicious SVG File Upload

Assigner: GitHub_M
Reserved: 04.02.2026 Published: 23.02.2026 Updated: 23.02.2026

Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the image/svg+xml Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score: 8.7

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	traccar
Product	traccar
Versions	Version >= 6.11.1 is affected

Vendor

traccar

Product

traccar

Versions

Version >= 6.11.1 is affected

References

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE
CWE-434: Unrestricted Upload of File with Dangerous Type CWE

CVE-2026-25648 PUBLISHED

Traccar Vulnerable to Stored Cross-Site Scripting (XSS) via Malicious SVG File Upload

Metrics

Product Status

References

Problem Types