CVE Catalog

CVE-2026-48745

CriticalCVSS 9.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.41%

33th percentile — higher than 33% of all known CVEs

Summary

The Traccar Client app, used for GPS tracking, is vulnerable in versions 9.7.19 and below to an attack that allows hijacking GPS tracking parameters via a crafted deep link. Such a link can change the app's configuration without confirmation, redirecting telemetry data to an attacker-controlled server.

Risk Assessment

An attacker can covertly take control of the victim's location tracking, leading to serious privacy and security breaches. Continuous, real-time tracking of the victim's location poses a risk of abuse.

Recommendation

It is recommended to update the Traccar Client app to version 9.7.20 to mitigate this vulnerability. Additionally, users should exercise caution when clicking on unknown links.

Original NVD description (English source)

Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The app registers a custom org.traccar.client://config deep-link scheme that silently writes attacker-supplied parameters (server URL, device ID, accuracy, distance, and interval) into the app's persistent configuration with no confirmation, notification, or visual indication. A single crafted link delivered via SMS, email, a webpage, or any installed app can therefore reconfigure the app the moment the victim taps it, with no special permissions required. As a result, an attacker can covertly redirect all of the victim's GPS telemetry to their own server at maximum precision and frequency, and the change persists across restarts. This gives the attacker continuous, real-time tracking of the victim's location. This issue has been fixed in version 9.7.20.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS