Traccar
by Traccar
Source repositories
CVEs (17)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-24809 | Hig | 0.58 | 8.5 | 0.54 | Apr 10, 2024 | Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account… | ||
| CVE-2025-61666 | Hig | 0.57 | — | 0.01 | Oct 2, 2025 | Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any… | ||
| CVE-2026-27644 | Med | 0.35 | 6.5 | 0.00 | May 5, 2026 | Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas… | ||
| CVE-2026-27694 | Med | 0.28 | 5.4 | 0.00 | May 5, 2026 | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low… | ||
| CVE-2026-27693 | Med | 0.28 | 5.4 | 0.00 | May 5, 2026 | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted… | ||
| CVE-2026-44314 | Med | 0.21 | 4.3 | 0.00 | May 26, 2026 | Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into… | ||
| CVE-2024-31214 | 0.04 | — | 0.18 | Apr 10, 2024 | Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control… | |||
| CVE-2025-68930 | 0.03 | — | 0.01 | Feb 23, 2026 | Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a… | |||
| CVE-2018-1000881 | 0.01 | — | 0.04 | Dec 20, 2018 | Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote Command Execution. This attack appear to be exploitable via Remote: web… | |||
| CVE-2026-48745 | 0.00 | — | 0.00 | Jun 16, 2026 | Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an… | |||
| CVE-2026-25649 | 0.00 | — | 0.00 | Feb 23, 2026 | Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is… | |||
| CVE-2026-25648 | 0.00 | — | 0.00 | Feb 23, 2026 | Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file… | |||
| CVE-2026-23521 | 0.00 | — | 0.00 | Feb 23, 2026 | Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build… | |||
| CVE-2023-50729 | 0.00 | — | 0.01 | Jan 15, 2024 | Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web… | |||
| CVE-2021-21292 | 0.00 | — | 0.00 | Feb 2, 2021 | Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then… | |||
| CVE-2020-5246 | 0.00 | — | 0.01 | Jul 14, 2020 | Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only… | |||
| CVE-2019-5748 | 0.00 | — | 0.02 | Jan 9, 2019 | In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks. |
- risk 0.58cvss 8.5epss 0.54
Traccar is an open source GPS tracking system. Versions prior to 6.0 are vulnerable to path traversal and unrestricted upload of file with dangerous type. Since the system allows registration by default, attackers can acquire ordinary user permissions by registering an account…
- risk 0.57cvss —epss 0.01
Traccar is an open source GPS tracking system. Default installs of Traccar on Windows between versions 6.1- 6.8.1 and non default installs between versions 5.8 - 6.0 are vulnerable to unauthenticated local file inclusion attacks which can lead to leakage of passwords or any…
- risk 0.35cvss 6.5epss 0.00
Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and computed attributes, to CSV output without proper escaping. An attacker can inject spreadsheet formulas…
- risk 0.28cvss 5.4epss 0.00
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and driver names into HTML email output without proper escaping. An attacker with low…
- risk 0.28cvss 5.4epss 0.00
Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names to XML output without proper escaping. An attacker with low privileges can create a device with a crafted…
- risk 0.21cvss 4.3epss 0.00
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into…
- CVE-2024-31214Apr 10, 2024risk 0.04cvss —epss 0.18
Traccar is an open source GPS tracking system. Traccar versions 5.1 through 5.12 allow arbitrary files to be uploaded through the device image upload API. Attackers have full control over the file contents, full control over the directory where the file is stored, full control…
- CVE-2025-68930Feb 23, 2026risk 0.03cvss —epss 0.01
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in the `/api/socket` endpoint. The application fails to validate the `Origin` header during the WebSocket handshake. This allows a…
- CVE-2018-1000881Dec 20, 2018risk 0.01cvss —epss 0.04
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote Command Execution. This attack appear to be exploitable via Remote: web…
- CVE-2026-48745Jun 16, 2026risk 0.00cvss —epss 0.00
Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an…
- CVE-2026-25649Feb 23, 2026risk 0.00cvss —epss 0.00
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users can steal OAuth 2.0 authorization codes by exploiting an open redirect vulnerability in two OIDC-related endpoints. The `redirect_uri` parameter is…
- CVE-2026-25648Feb 23, 2026risk 0.00cvss —epss 0.00
Versions of the Traccar open-source GPS tracking system starting with 6.11.1 contain an issue in which authenticated users can execute arbitrary JavaScript in the context of other users' browsers by uploading malicious SVG files as device images. The application accepts SVG file…
- CVE-2026-23521Feb 23, 2026risk 0.00cvss —epss 0.00
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build…
- CVE-2023-50729Jan 15, 2024risk 0.00cvss —epss 0.01
Traccar is an open source GPS tracking system. Prior to 5.11, Traccar is affected by an unrestricted file upload vulnerability in File feature allows attackers to execute arbitrary code on the server. This vulnerability is more prevalent because Traccar is recommended to run web…
- CVE-2021-21292Feb 2, 2021risk 0.00cvss —epss 0.00
Traccar is an open source GPS tracking system. In Traccar before version 4.12 there is an unquoted Windows binary path vulnerability. Only Windows versions are impacted. Attacker needs write access to the filesystem on the host machine. If Java path includes a space, then…
- CVE-2020-5246Jul 14, 2020risk 0.00cvss —epss 0.01
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only…
- CVE-2019-5748Jan 9, 2019risk 0.00cvss —epss 0.02
In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks.