PatchSiren

traccar CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL traccar CVE published 2026-06-17

CVE-2026-48745

The Traccar Client, a GPS tracking mobile app, is vulnerable to a critical issue (CVE-2026-48745) in versions 9.7.19 and below. A crafted deep link can silently hijack GPS tracking parameters, redirecting telemetry to an attacker-controlled server. This issue, with a CVSS score of 9.3, allows for continuous, real-time tracking of the victim's location without requiring special permissions. The vulnerabili [truncated]

MEDIUM traccar CVE published 2026-05-26

CVE-2026-44314

Traccar versions prior to 6.13.0 contain an authorization bypass in the device image upload functionality. The `DeviceResource.uploadImage` endpoint validates user permissions through `Condition.Permission(User.class, getUserId(), Device.class)` but fails to invoke `permissionsService.checkEdit(getUserId(), Device.class, false, false)`—the guard that enforces `readonly` and `deviceReadonly` restrictions f [truncated]