CVE-2026-48745
CriticalCVSS 9.3Exploitation Probability (EPSS)
Low risk33th percentile — higher than 33% of all known CVEs
Summary
The Traccar Client app, used for GPS tracking, is vulnerable in versions 9.7.19 and below to an attack that allows hijacking GPS tracking parameters via a crafted deep link. Such a link can change the app's configuration without confirmation, redirecting telemetry data to an attacker-controlled server.
Risk Assessment
An attacker can covertly take control of the victim's location tracking, leading to serious privacy and security breaches. Continuous, real-time tracking of the victim's location poses a risk of abuse.
Recommendation
It is recommended to update the Traccar Client app to version 9.7.20 to mitigate this vulnerability. Additionally, users should exercise caution when clicking on unknown links.
Original NVD description (English source)
Traccar Client is a GPS tracking mobile app for sending location updates to private servers using the open-source Traccar platform. In versions 9.7.19 and below, a single crafted deep link can silently hijack all GPS tracking parameters and redirect telemetry to an attacker-controlled server. The app registers a custom org.traccar.client://config deep-link scheme that silently writes attacker-supplied parameters (server URL, device ID, accuracy, distance, and interval) into the app's persistent configuration with no confirmation, notification, or visual indication. A single crafted link delivered via SMS, email, a webpage, or any installed app can therefore reconfigure the app the moment the victim taps it, with no special permissions required. As a result, an attacker can covertly redirect all of the victim's GPS telemetry to their own server at maximum precision and frequency, and the change persists across restarts. This gives the attacker continuous, real-time tracking of the victim's location. This issue has been fixed in version 9.7.20.

