CVE-2026-23521
MEDIUMTraccar <= 6.11.1 - Authenticated Path Traversal and Arbitrary File Write via Device uniqueId
Title source: llmDescription
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build the filesystem path without enforcing that the resolved path stays under the media root. This allows writing files outside the media directory. As of time of publication, it is unclear whether a fix is available.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqr
Scores
CVSS v3
6.5
EPSS
0.0032
EPSS Percentile
23.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
CWE-73
Status
published
Products (1)
traccar/traccar
< 6.11.1
Published
Feb 23, 2026
Tracked Since
Feb 23, 2026