CVE-2026-23521

Traccar vulnerable to Path Traversal and External Control of File Name or Path

Description

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build the filesystem path without enforcing that the resolved path stays under the media root. This allows writing files outside the media directory. As of time of publication, it is unclear whether a fix is available.

INFO

Published Date :

2026-02-23T20:57:31.195Z

Last Modified :

2026-02-23T20:57:31.195Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-23521 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23521.

URL	Resource
https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqr

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact