CVE-2026-25648 in Traccarinfo

Zusammenfassung

von MITRE • 23.02.2026

Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Zuständig

GitHub M

Reservieren

04.02.2026

Veröffentlichung

23.02.2026

Moderieren

akzeptiert

Eintrag

VDB-347455

CPE

bereit

CWE

CWE-79 (bestätigt)

CVSS

8.7 (CNA)

EPSS

0.00048

KEV

nein

Aktivitäten

very low

Quellen

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-25648
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-25648
CVE Details	https://www.cvedetails.com/cve/CVE-2026-25648/

◂ Zurück Übersicht Weiter ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!