cbcvebase.
CVE-2025-66398
published 2026-01-01

CVE-2025-66398: Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal…

PriorityP271high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
17.93%
96.8th percentile
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

Affected

3 ranges
VendorProductVersion rangeFixed in
signalksignal_k_server< 2.19.02.19.0
signalksignalk-server< 2.19.02.19.0
signalksignalk-server>= 0 < 2.19.02.19.0
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.