CVE-2026-25648
Published: 23 February 2026
Summary
CVE-2026-25648 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Traccar Traccar. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses improper neutralization of input by validating uploaded SVG files to block embedded JavaScript, preventing XSS exploitation.
Enforces restrictions on file upload types and detects malicious code in SVGs, mitigating unrestricted upload of dangerous files.
Filters outputs when serving device images to neutralize JavaScript in SVGs, preventing execution in victims' browsers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS via unsanitized SVG upload in public-facing web app directly enables exploitation of the application (T1190) to achieve arbitrary JavaScript execution in victim browsers (T1059.007), facilitating session hijacking (T1185) and theft of web session cookies (T1539).
NVD Description
Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts…
more
SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.
Deeper analysisAI
CVE-2026-25648 is a cross-site scripting (XSS) vulnerability affecting versions of the Traccar open-source GPS tracking system starting with 6.11.1. The issue arises because the application accepts SVG file uploads for device images without proper sanitization and serves them with the image/svg+xml Content-Type header. This allows embedded JavaScript within the SVG to execute in the context of victims' browsers when they view the affected images, corresponding to CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-434 (Unrestricted Upload of File with Dangerous Type).
An authenticated user with low privileges (PR:L) can exploit this vulnerability by uploading a malicious SVG file as a device image. Exploitation requires user interaction (UI:R) from a victim who views the image, such as another authenticated user browsing devices in the Traccar interface. Successful exploitation enables arbitrary JavaScript execution in the victim's browser with high confidentiality and integrity impacts (C:H/I:H) and a changed scope (S:C), potentially leading to session hijacking, data theft, or further compromise within the application's context. The vulnerability has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N).
The GitHub Security Advisory at https://github.com/traccar/traccar/security/advisories/GHSA-mc2g-mjqh-8x78 provides details on the issue, but as of the CVE publication on 2026-02-23, it remains unclear whether a fix is available. Security practitioners should monitor for updates from the Traccar project and consider restricting SVG uploads or implementing client-side sanitization as interim mitigations.
Details
- CWE(s)