CVE-2026-44314

CVE-2026-44314 (Traccar) affects the open-source GPS tracking system prior to version 6.13.0. In DeviceResource.uploadImage, authentication is insufficient: after authorizing a target device via Condition.Permission(User.class, getUserId(), Device.class), the route streams the upload into mediaMa...

EUVD-2026-31852

Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.PermissionUser.class, getUserId, Device.class and then immediately streams the uploaded body into mediaManager.createFileStream.... Unlike the generic...

XML Injection

Overview Affected versions of this package are vulnerable to XML Injection in the KML and GPX export functionality. An attacker can corrupt the file structure and spoof exported location data by creating a device with a crafted name that injects XML content into the exported files. Remediation...

CVE-2026-27694

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store...

CVE-2026-27693

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted name that injects XML...

EUVD-2026-27309

Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low privileges can store...

Exploit for CVE-2025-68930

🔍 Análisis del CVE-2025-68930: Vulnerabilidad de Secuestro de...

CVE-2025-68930

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking CSWSH vulnerability in the /api/socket endpoint. The application fails to validate the Origin header during the WebSocket handshake. This allows a remote attacker to bypass...

CVE-2023-50729

Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web servers as root...

CVE-2025-61666 Traccar Unauthenticated Local File Inclusion on Windows - Leakage of Traccar Config File

Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any file on the file syste...

PT-2025-40429

Name of the Vulnerable Software and Affected Versions Traccar versions 5.8 through 6.0 Traccar versions 6.1 through 6.8.1 Description Traccar, an open source GPS tracking system, has a flaw that allows for unauthenticated local file inclusion attacks. This can result in the disclosure of password...

CVE-2024-31214

Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file...

CVE-2021-21292

Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then attacker can lift their...

Traccar 代码问题漏洞

Traccar is a Java-based website builder that provides GPS tracking functionality from Traccar Inc. in the United States. The software supports more than 170 GPS protocols and more than 1500 models of GPS tracking devices.Traccar can be used with any major SQL database system . It also provides an...

CVE-2023-50729 An unrestricted file upload vulnerability in traccar leads to RCE

Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web servers as root...