cbcvebase.
CVE-2026-25228
published 2026-02-02

CVE-2026-25228: Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's…

PriorityP428medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.38%
30.2th percentile
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.

Affected

3 ranges
VendorProductVersion rangeFixed in
signalksignal_k_server< 2.20.32.20.3
signalksignalk-server< 2.20.32.20.3
signalksignalk-server>= 0 < 2.20.32.20.3
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.