CVE-2026-23515
published 2026-02-02CVE-2026-23515: Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.16%
89.6th percentile
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| signalk | set-system-time | >= 0 < 1.5.0 | 1.5.0 |
| signalk | signal_k_server | < 1.5.0 | 1.5.0 |
| signalk | signalk-server | < 1.5.0 | 1.5.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Signal K set-system-time plugin vulnerable to RCE - Command Injection
osv·2026-02-02
CVE-2026-23515 [CRITICAL] Signal K set-system-time plugin vulnerable to RCE - Command Injection
Signal K set-system-time plugin vulnerable to RCE - Command Injection
### Summary
A Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing `navigation.datetime` values received via WebSocket delta messages.
### Details
**Product:** Signal K set-system-time plugin
**Repository:** https://github.com/SignalK/set-system-time
File: `index.js`, lines 60-71
```javascript
stream.onValue(function (datetime) {
var child
if (process.platform == 'win32') {
console.error("Set-system-time support
GHSA
Signal K set-system-time plugin vulnerable to RCE - Command Injection
ghsa·2026-02-02
CVE-2026-23515 [CRITICAL] CWE-78 Signal K set-system-time plugin vulnerable to RCE - Command Injection
Signal K set-system-time plugin vulnerable to RCE - Command Injection
### Summary
A Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing `navigation.datetime` values received via WebSocket delta messages.
### Details
**Product:** Signal K set-system-time plugin
**Repository:** https://github.com/SignalK/set-system-time
File: `index.js`, lines 60-71
```javascript
stream.onValue(function (datetime) {
var child
if (process.platform == 'win32') {
console.error("Set-system-time support
No detection rules found.
No public exploits indexed.
2026-02-02
Published