CVE-2026-23521

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-23521

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23521.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-23521

Aliases

GHSA-rc28-cvfc-chqr

Published

2026-02-23T20:57:31.195Z

Modified

2026-03-01T02:56:26.491149Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Traccar vulnerable to Path Traversal and External Control of File Name or Path

Details

Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device uniqueId to an absolute path. When uploading a device image, Traccar uses that uniqueId to build the filesystem path without enforcing that the resolved path stays under the media root. This allows writing files outside the media directory. As of time of publication, it is unclear whether a fix is available.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23521.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22",
        "CWE-73"
    ]
}

References

Affected packages

Git /

Affected ranges

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-23521.json"