CVE-2026-23521
Last modified
CVE-2026-23521 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build the filesystem path without enforcing that the resolved path stays under the media root. EPSS estimates a 0.32% chance of exploitation in the next 30 days.
Description
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build the filesystem path without enforcing that the resolved path stays under the media root. This allows writing files outside the media directory. As of time of publication, it is unclear whether a fix is available.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Traccar | Traccar | <= 6.11.1 |
References
- https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqrExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-23521?
How severe is CVE-2026-23521?
How do I fix CVE-2026-23521?
Are you affected by CVE-2026-23521?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST