CVE-2026-25648 – Authenticated users in Traccar GPS tracking sys... (How to Fix)

Q: What is the severity of CVE-2026-25648?

CVE-2026-25648 has a CVSS score of 8.7 (HIGH). Authenticated users in Traccar GPS tracking system can upload malicious SVG files containing JavaScript, which executes in other users' browsers when they view the image. This cross-site scripting (XSS) vulnerability affects all users of Traccar versions 6.11.1 and later. Attackers can steal session cookies, perform actions as victims, or redirect to malicious sites.

📋 TL;DR

Authenticated users in Traccar GPS tracking system can upload malicious SVG files containing JavaScript, which executes in other users' browsers when they view the image. This cross-site scripting (XSS) vulnerability affects all users of Traccar versions 6.11.1 and later. Attackers can steal session cookies, perform actions as victims, or redirect to malicious sites.

💻 Affected Systems

Products:

Traccar GPS tracking system

Versions: 6.11.1 and later

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to upload SVG files as device images.

📦 What is this software?

Traccar by Traccar

View all CVEs affecting Traccar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full administrative access, compromise all user accounts, steal sensitive location data, and pivot to internal networks.

🟠

Likely Case

Session hijacking, account takeover, data theft, and malicious actions performed as authenticated users.

🟢

If Mitigated

Limited impact with proper input validation, content security policies, and file upload restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://github.com/traccar/traccar/security/advisories/GHSA-mc2g-mjqh-8x78

Restart Required: Yes

Instructions:

Monitor the GitHub advisory for patch availability. When available, update to the patched version and restart the Traccar service.

🔧 Temporary Workarounds

Disable SVG uploads

all

Configure Traccar to reject SVG file uploads entirely.

Modify Traccar configuration to restrict allowed file types to non-SVG formats

Implement Content Security Policy

all

Add CSP headers to prevent inline script execution from SVG files.

Add 'Content-Security-Policy: script-src 'self'' header to web server configuration

🧯 If You Can't Patch

Restrict SVG file uploads to trusted administrators only
Implement web application firewall rules to block malicious SVG content

🔍 How to Verify

Check if Vulnerable:

Check if running Traccar version 6.11.1 or later and verify SVG upload functionality is enabled.

Check Version:

Check Traccar web interface or configuration files for version information

Verify Fix Applied:

After applying workarounds, test SVG upload with embedded JavaScript to confirm it no longer executes.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads
Multiple failed login attempts followed by SVG uploads

Network Indicators:

HTTP requests for SVG files with suspicious parameters
Outbound connections to unknown domains after SVG access

SIEM Query:

source="traccar" AND (file_extension="svg" OR content_type="image/svg+xml")

📊 Metadata

CVE ID: CVE-2026-25648

CVSS v3 Score: 8.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-79

Published: February 23, 2026

Last Updated: February 26, 2026

🔗 References

https://github.com/traccar/traccar/security/advisories/GHSA-mc2g-mjqh-8x78 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25648, you might also want to check these: