CVE-2026-23521

Name of the Vulnerable Software and Affected Versions Traccar versions up to and including 6.11.1

Description The Traccar GPS tracking system is affected by an issue where authenticated users with device creation or editing privileges can manipulate the uniqueId parameter to specify an absolute file path. This allows writing files outside the intended media directory because the system does not adequately validate that the resolved path remains within the designated media root during device image uploads.

Recommendations Versions prior to 6.11.1 are recommended. At the moment, there is no information about a newer version that contains a fix for this vulnerability.