CVE-2026-25648

Name of the Vulnerable Software and Affected Versions Traccar versions 6.11.1 and later

Description Traccar, an open-source GPS tracking system, is affected by a stored cross-site scripting (XSS) issue. Authenticated users can upload malicious SVG files as device images. The application does not sanitize these files and serves them with the image/svg+xml Content-Type, allowing embedded JavaScript to execute in the context of other users' browsers. The vulnerability allows for the execution of arbitrary JavaScript. The API Endpoint for file uploads is implicated in this issue. The vulnerable parameter is the SVG file itself, specifically the embedded JavaScript within the SVG file.

Recommendations Traccar versions 6.11.1 and later: At the moment, there is no information about a newer version that contains a fix for this vulnerability.