CVE-2026-25648
Received Received - Intake
Stored XSS via Unsanitized SVG Uploads in Traccar GPS System

Publication date: 2026-02-23

Last updated on: 2026-02-26

Assigner: GitHub, Inc.

Description
Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file uploads without sanitization and serves them with the `image/svg+xml` Content-Type, allowing embedded JavaScript to execute when victims view the image. As of time of publication, it is unclear whether a fix is available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-23
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-02-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25648
EUVD
EUVD-2026-7485
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
traccar traccar From 6.11.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25648 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability in the Traccar GPS tracking system starting from version 6.11.1. It occurs because authenticated users with permission to edit devices can upload malicious SVG files as device images without any sanitization.'}, {'type': 'paragraph', 'content': "These SVG files are served with the MIME type image/svg+xml, allowing embedded JavaScript within the SVG to execute in the browsers of other users who view the device images. This means attackers can run arbitrary JavaScript code in the context of other users' browsers."}, {'type': 'paragraph', 'content': 'The vulnerability arises from the lack of filtering or validation of SVG content during upload and the absence of security headers like Content-Security-Policy or X-Content-Type-Options, which would normally restrict script execution.'}] [1]

Impact Analysis

This vulnerability can have several serious impacts:

  • Session Hijacking: Attackers can steal session cookies from users viewing the malicious SVG, potentially taking over their accounts.
  • Privilege Escalation: Regular users can target administrators by uploading malicious SVGs, gaining elevated access.
  • Data Theft: Arbitrary JavaScript can access and exfiltrate sensitive data visible to the victim.
  • Persistent Attack: The malicious payload remains stored on the server and executes whenever the device image is viewed.
  • Phishing: Attackers can redirect users to fake login pages to capture credentials.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by identifying if malicious SVG files containing embedded JavaScript have been uploaded as device images in the Traccar system. Since the exploit involves authenticated users uploading SVG files to the /api/devices/{id}/image POST endpoint and these files being served at /api/media/{uniqueId}/device.svg, monitoring these endpoints for SVG uploads and accesses is key.'}, {'type': 'paragraph', 'content': 'Suggested detection steps include:'}, {'type': 'list_item', 'content': 'Check for SVG files uploaded as device images by querying the device image upload endpoint logs or database entries for files with the MIME type image/svg+xml.'}, {'type': 'list_item', 'content': 'Inspect uploaded SVG files for embedded <script> tags or JavaScript event handlers that could execute code.'}, {'type': 'list_item', 'content': 'Monitor HTTP requests to /api/media/{uniqueId}/device.svg endpoints to detect access to potentially malicious SVG images.'}, {'type': 'paragraph', 'content': 'Example commands (assuming access to server logs or database):'}, {'type': 'list_item', 'content': "Use grep or similar tools to find SVG uploads in logs: grep -i 'image/svg+xml' /path/to/traccar/logs/access.log"}, {'type': 'list_item', 'content': "Search for <script> tags inside SVG files stored on the server: grep -r '<script' /path/to/traccar/media/"}, {'type': 'list_item', 'content': 'Query the database or API for device images with SVG content type if applicable.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps to address this vulnerability include:'}, {'type': 'list_item', 'content': 'Disallow SVG uploads entirely by removing "image/svg+xml" from the list of accepted image types in the application.'}, {'type': 'list_item', 'content': 'If SVG support is necessary, sanitize all uploaded SVG files to remove <script> tags and event handlers before storing them, using libraries such as Apache Batik.'}, {'type': 'list_item', 'content': 'Serve SVG files with Content-Disposition headers set to "attachment" to prevent browsers from rendering them inline and executing embedded scripts.'}, {'type': 'list_item', 'content': 'Implement Content Security Policy (CSP) headers to restrict script execution, for example: "default-src \'none\'; img-src \'self\'; style-src \'self\'".'}, {'type': 'list_item', 'content': 'Set the X-Content-Type-Options header to "nosniff" to prevent MIME type sniffing by browsers.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25648. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart