Home / Vulnerability Intelligence / CVE-2026-25648

CVE-2026-25648 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: February 24, 2026

Traccar - Stored XSS

Published: February 23, 2026Updated: February 24, 2026Remote Exploitable

Overview

Traccar >= 6.11.1 contains a stored XSS vulnerability caused by unsanitized SVG file uploads served with image/svg+xml, letting authenticated users execute arbitrary JavaScript in other users' browsers, exploit requires authentication.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 3.2%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can execute arbitrary JavaScript in other users' browsers, potentially leading to session hijacking or further attacks.

Mitigation

Update to the latest version once a fix is available or implement SVG sanitization before upload.

References

https://github.com/traccar/traccar/security/advisories/GHSA-mc2g-mjqh-8x78

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 23, 2026

🟠 CVE-2026-25648 - High (8.7) Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25648/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-25648
Severity: High
CVSS Score: 8.7
Type: stored_xss
Status: unconfirmed
EPSS: 3.2%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score

3.2%Probability of exploitation in the next 30 days