Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Traccar GPS Tracking System: Unauthorized File Uploads Possible
CVE-2026-23521
Summary
Authenticated users with device editing privileges can upload files to any location on the server. This can lead to unauthorized data being stored or malicious code being executed. To mitigate, update to the latest version of Traccar or restrict user permissions to prevent users from creating or editing devices.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| traccar | traccar | <= 6.11.1 | – |
Original title
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an abs...
Original description
Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build the filesystem path without enforcing that the resolved path stays under the media root. This allows writing files outside the media directory. As of time of publication, it is unclear whether a fix is available.
nvd CVSS3.1
6.5
Vulnerability type
CWE-22
Path Traversal
CWE-73
- https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqr Exploit Mitigation Vendor Advisory
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026