153 matches found
Traccar - Unrestricted File Upload
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account and exploit this...
PT-2026-45077
First mobile CVE by @neo ai engineer — CVE-2026-48745 Traccar Client 100k+ installs: one deep link silently redirects GPS telemetry to an attacker. Neo found it using static analysis + dynamic validation via @Genymotion integration. https://t.co/4qXTPRjgpq...
CVE-2026-44314
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.PermissionUser.class, getUserId, Device.class and then immediately streams the uploaded body into mediaManager.createFileStream.... Unlike the generic...
EUVD-2026-31852
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.PermissionUser.class, getUserId, Device.class and then immediately streams the uploaded body into mediaManager.createFileStream.... Unlike the generic...
CVE-2026-44314
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.PermissionUser.class, getUserId, Device.class and then immediately streams the uploaded body into mediaManager.createFileStream.... Unlike the generic...
CVE-2026-44314 Traccar: Missing edit authorization on device image upload allows read-only users to write files
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.PermissionUser.class, getUserId, Device.class and then immediately streams the uploaded body into mediaManager.createFileStream.... Unlike the generic...
CVE-2026-44314 Traccar: Missing edit authorization on device image upload allows read-only users to write files
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.PermissionUser.class, getUserId, Device.class and then immediately streams the uploaded body into mediaManager.createFileStream.... Unlike the generic...
CVE-2026-44314
CVE-2026-44314 (Traccar) affects the open-source GPS tracking system prior to version 6.13.0. In DeviceResource.uploadImage, authentication is insufficient: after authorizing a target device via Condition.Permission(User.class, getUserId(), Device.class), the route streams the upload into mediaMa...
Traccar 安全漏洞
Traccar is a Java-based website building system provided by the American company Traccar. This software supports over 170 GPS protocols and over 1,500 types of GPS tracking devices. Traccar can be used alongside any major SQL database systems. It also offers a user-friendly REST API. Prior to...
PT-2026-43299
Name of the Vulnerable Software and Affected Versions Traccar versions prior to 6.13.0 Description An authorization bypass exists in the GPS tracking system where the 'DeviceResource.uploadImage' endpoint fails to invoke the permissionsService.checkEdit function. While the system uses...
CVE-2026-27693
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...
XML Injection
Overview Affected versions of this package are vulnerable to XML Injection in the KML and GPX export functionality. An attacker can corrupt the file structure and spoof exported location data by creating a device with a crafted name that injects XML content into the exported files. Remediation...
CSV Injection
Overview Affected versions of this package are vulnerable to CSV Injection in the CSV export functionality. An attacker can cause command execution or data exfiltration by injecting malicious formulas into exported fields, which are then executed when the CSV file is opened in spreadsheet softwar...
CVE-2026-27693
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...
CVE-2026-27694
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store...
CVE-2026-27644
Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas through exported...
CVE-2026-27694 traccar allows stored HTML injection in notification emails
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store...
EUVD-2026-27309
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store...
CVE-2026-27694
Traccar (org.traccar:traccar) versions 6.11.1–6.12.x are vulnerable to stored HTML injection in email notification templates. User-controlled device, geofence, and driver names are inserted into HTML output without proper escaping, allowing an attacker with low privileges to store crafted HTML th...
CVE-2026-27694 traccar allows stored HTML injection in notification emails
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store...