{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-11T08:10:42.936","vulnerabilities":[{"cve":{"id":"CVE-2026-23521","sourceIdentifier":"security-advisories@github.com","published":"2026-02-23T21:19:09.990","lastModified":"2026-02-26T16:27:57.280","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Versions of the Traccar open-source GPS tracking system up to and including 6.11.1 contain an issue in which authenticated users who can create or edit devices can set a device `uniqueId` to an absolute path. When uploading a device image, Traccar uses that `uniqueId` to build the filesystem path without enforcing that the resolved path stays under the media root. This allows writing files outside the media directory. As of time of publication, it is unclear whether a fix is available."},{"lang":"es","value":"Las versiones del sistema de seguimiento GPS de código abierto Traccar hasta la 6.11.1 inclusive contienen un problema en el que los usuarios autenticados que pueden crear o editar dispositivos pueden establecer el 'uniqueId' de un dispositivo a una ruta absoluta. Al cargar una imagen de dispositivo, Traccar utiliza ese 'uniqueId' para construir la ruta del sistema de archivos sin asegurar que la ruta resuelta permanezca bajo la raíz de medios. Esto permite escribir archivos fuera del directorio de medios. Al momento de la publicación, no está claro si hay una solución disponible."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"},{"lang":"en","value":"CWE-73"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:traccar:traccar:*:*:*:*:*:*:*:*","versionEndIncluding":"6.11.1","matchCriteriaId":"76FAA1A2-2E75-4EAC-A7FA-BD790B7986A6"}]}]}],"references":[{"url":"https://github.com/traccar/traccar/security/advisories/GHSA-rc28-cvfc-chqr","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}