CVE-2026-25648
Stored XSS via Unsanitized SVG Uploads in Traccar GPS System
Publication date: 2026-02-23
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| traccar | traccar | From 6.11.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-25648 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability in the Traccar GPS tracking system starting from version 6.11.1. It occurs because authenticated users with permission to edit devices can upload malicious SVG files as device images without any sanitization.'}, {'type': 'paragraph', 'content': "These SVG files are served with the MIME type image/svg+xml, allowing embedded JavaScript within the SVG to execute in the browsers of other users who view the device images. This means attackers can run arbitrary JavaScript code in the context of other users' browsers."}, {'type': 'paragraph', 'content': 'The vulnerability arises from the lack of filtering or validation of SVG content during upload and the absence of security headers like Content-Security-Policy or X-Content-Type-Options, which would normally restrict script execution.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have several serious impacts:
- Session Hijacking: Attackers can steal session cookies from users viewing the malicious SVG, potentially taking over their accounts.
- Privilege Escalation: Regular users can target administrators by uploading malicious SVGs, gaining elevated access.
- Data Theft: Arbitrary JavaScript can access and exfiltrate sensitive data visible to the victim.
- Persistent Attack: The malicious payload remains stored on the server and executes whenever the device image is viewed.
- Phishing: Attackers can redirect users to fake login pages to capture credentials.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying if malicious SVG files containing embedded JavaScript have been uploaded as device images in the Traccar system. Since the exploit involves authenticated users uploading SVG files to the /api/devices/{id}/image POST endpoint and these files being served at /api/media/{uniqueId}/device.svg, monitoring these endpoints for SVG uploads and accesses is key.'}, {'type': 'paragraph', 'content': 'Suggested detection steps include:'}, {'type': 'list_item', 'content': 'Check for SVG files uploaded as device images by querying the device image upload endpoint logs or database entries for files with the MIME type image/svg+xml.'}, {'type': 'list_item', 'content': 'Inspect uploaded SVG files for embedded <script> tags or JavaScript event handlers that could execute code.'}, {'type': 'list_item', 'content': 'Monitor HTTP requests to /api/media/{uniqueId}/device.svg endpoints to detect access to potentially malicious SVG images.'}, {'type': 'paragraph', 'content': 'Example commands (assuming access to server logs or database):'}, {'type': 'list_item', 'content': "Use grep or similar tools to find SVG uploads in logs: grep -i 'image/svg+xml' /path/to/traccar/logs/access.log"}, {'type': 'list_item', 'content': "Search for <script> tags inside SVG files stored on the server: grep -r '<script' /path/to/traccar/media/"}, {'type': 'list_item', 'content': 'Query the database or API for device images with SVG content type if applicable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps to address this vulnerability include:'}, {'type': 'list_item', 'content': 'Disallow SVG uploads entirely by removing "image/svg+xml" from the list of accepted image types in the application.'}, {'type': 'list_item', 'content': 'If SVG support is necessary, sanitize all uploaded SVG files to remove <script> tags and event handlers before storing them, using libraries such as Apache Batik.'}, {'type': 'list_item', 'content': 'Serve SVG files with Content-Disposition headers set to "attachment" to prevent browsers from rendering them inline and executing embedded scripts.'}, {'type': 'list_item', 'content': 'Implement Content Security Policy (CSP) headers to restrict script execution, for example: "default-src \'none\'; img-src \'self\'; style-src \'self\'".'}, {'type': 'list_item', 'content': 'Set the X-Content-Type-Options header to "nosniff" to prevent MIME type sniffing by browsers.'}] [1]