Traccar - Unrestricted File Upload

Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this...

Framework for Discovering GPS Spoofing Attacks in Drone Swarms

Swarm robotics, particularly drone swarms, are used in various safety-critical tasks. While a lot of attention has been given to improving swarm control algorithms for improved intelligence, the security implications of various design choices in swarm control algorithms have not been studied. We...

PT-2026-45077

First mobile CVE by @neo ai engineer — CVE-2026-48745 Traccar Client 100k+ installs: one deep link silently redirects GPS telemetry to an attacker. Neo found it using static analysis + dynamic validation via @Genymotion integration. https://t.co/4qXTPRjgpq...

CVE-2026-48235

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses InstaMapper and Google Latitude integration are concatenated into...

EUVD-2026-31315

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses InstaMapper and Google Latitude integration are concatenated into...

CVE-2026-48235 Open ISES Tickets < 3.44.2 SQL Injection in incs/remotes.inc.php via External GPS Tracker Data

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses InstaMapper and Google Latitude integration are concatenated into...

Malicious code in ihubinternal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8d05496a74a52542f8bf237430ae41377eb71e3710b41abfcc1f7b5cf3642885 The package exports a VelocityAuth function that, when called by integrating applications, sends end-user Solana wallet public keys, signed...

tickets SQL注入漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a SQL injection vulnerability. This vulnerability stemmed from the fact that the values of latitude, longitude, callsign, mph, altitude, and timestamp,...

PT-2026-42513

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses InstaMapper and Google Latitude integration are concatenated into...

Astra Linux - уязвимость в ntp

The praecisparse function in ntpd/refclockpalisade.c, within NTP 4.2.8p15, contains an out-of-bounds write vulnerability. Any attack method would be complex, for example, using a manipulated GPS receiver...

CVE-2026-27892

FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadat...

CVE-2026-27892

FacturaScripts Library module stores and serves uploaded images without stripping EXIF/IPTC/XMP metadata, allowing any authenticated user who downloads an image to extract GPS coordinates, device information, timestamps, and other PII embedded in metadata. This is a design-level omission affectin...

CVE-2026-27892

FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadat...

EUVD-2026-30812

FacturaScripts is an open source accounting and invoicing software. In versions prior to 2026, the Library module stores and serves uploaded images byte-for-byte, without stripping EXIF/XMP/IPTC metadata. Any authenticated user who downloaded an image could extract the uploader's embedded metadat...

GHSA-Q7F2-RV22-2XGR FacturaScripts Vulnerable to Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload/Download

Summary Fectura Scripts is an open-source ERP application, a sensitive information disclosure vulnerability was identified in the Library module's image upload and download pipeline. The application fails to strip EXIF and other embedded metadata from user-uploaded image files before storing them...

FacturaScripts Vulnerable to Unstripped Image Metadata (EXIF) Leakage via Library Module File Upload/Download

Summary Fectura Scripts is an open-source ERP application, a sensitive information disclosure vulnerability was identified in the Library module's image upload and download pipeline. The application fails to strip EXIF and other embedded metadata from user-uploaded image files before storing them...

CVE-2026-27693

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

PT-2026-37033

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)

Exploit Title: Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking CSWSH Date: 2026-02-26 Exploit Author: Hazar Taspinar Vendor Homepage: https://www.traccar.org/ Software Link: https://github.com/traccar/traccar Version: = 6.11.1 Tested on: Windows 11 / Linux CVE: CVE-2025-68930...

Astra Linux - уязвимость в linux-5.10, linux-6.1, linux, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: pps: Fixed a use-after-free On a board running with ntpd and gpsd, I’m encountering a consistent issue of use-after-free in sysexit from gpsd during reboots: pps pps1: Removed ----------- Cut here ------------ kobject: ‘Null’...