VYPR

Traccar

by Traccar

Source repositories

CVEs (17)

  • CVE-2024-24809HigApr 10, 2024
    risk 0.58cvss 8.5epss 0.54

    Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account…

  • CVE-2025-61666HigOct 2, 2025
    risk 0.57cvss epss 0.01

    Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any…

  • CVE-2026-27644MedMay 5, 2026
    risk 0.35cvss 6.5epss 0.00

    Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas…

  • CVE-2026-27694MedMay 5, 2026
    risk 0.28cvss 5.4epss 0.00

    Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low…

  • CVE-2026-27693MedMay 5, 2026
    risk 0.28cvss 5.4epss 0.00

    Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted…

  • CVE-2026-44314MedMay 26, 2026
    risk 0.21cvss 4.3epss 0.00

    Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into…

  • CVE-2024-31214Apr 10, 2024
    risk 0.04cvss epss 0.18

    Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control…

  • CVE-2025-68930Feb 23, 2026
    risk 0.03cvss epss 0.01

    Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a…

  • CVE-2018-1000881Dec 20, 2018
    risk 0.01cvss epss 0.04

    Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote Command Execution. This attack appear to be exploitable via Remote: web…

  • CVE-2026-48745Jun 16, 2026
    risk 0.00cvss epss 0.00

    Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an…

  • CVE-2026-25649Feb 23, 2026
    risk 0.00cvss epss 0.00

    Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is…

  • CVE-2026-25648Feb 23, 2026
    risk 0.00cvss epss 0.00

    Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file…

  • CVE-2026-23521Feb 23, 2026
    risk 0.00cvss epss 0.00

    Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build…

  • CVE-2023-50729Jan 15, 2024
    risk 0.00cvss epss 0.01

    Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web…

  • CVE-2021-21292Feb 2, 2021
    risk 0.00cvss epss 0.00

    Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then…

  • CVE-2020-5246Jul 14, 2020
    risk 0.00cvss epss 0.01

    Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only…

  • CVE-2019-5748Jan 9, 2019
    risk 0.00cvss epss 0.02

    In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks.