← Volver a CVEs
CVE-2026-23521
MEDIUM6.5
Descripcion
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build the filesystem path without enforcing that the resolved path stays under the media root. This allows writing files outside the media directory. As of time of publication, it is unclear whether a fix is available.
Detalles CVE
Puntuacion CVSS v3.16.5
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado2/23/2026
Ultima modificacion2/26/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
traccar:traccar
Debilidades (CWE)
CWE-22CWE-73
Referencias
https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqr(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.