CVE-2026-25228
published 2026-02-02CVE-2026-25228: Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's…
PriorityP428medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
0.38%
30.2th percentile
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| signalk | signal_k_server | < 2.20.3 | 2.20.3 |
| signalk | signalk-server | < 2.20.3 | 2.20.3 |
| signalk | signalk-server | >= 0 < 2.20.3 | 2.20.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SignalK Server has Path Traversal leading to information disclosure
ghsa·2026-02-02
CVE-2026-25228 [MEDIUM] CWE-22 SignalK Server has Path Traversal leading to information disclosure
SignalK Server has Path Traversal leading to information disclosure
### Summary
A Path Traversal vulnerability in SignalK Server's `applicationData` API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The `validateAppId()` function blocks forward slashes (`/`) but not backslashes (`\`), which are treated as directory separators by `path.join()` on Windows. This enables attackers to escape the intended `applicationData` directory.
### Details
**Platform**: Windows (Linux only allows traversal up a single directory)
**Authentication Required**: Yes (ability to write depends on user's permission)
The vulnerability exists in the `validateAppId()` function within the applicationData API handler. This function validates
OSV
SignalK Server has Path Traversal leading to information disclosure
osv·2026-02-02
CVE-2026-25228 [MEDIUM] SignalK Server has Path Traversal leading to information disclosure
SignalK Server has Path Traversal leading to information disclosure
### Summary
A Path Traversal vulnerability in SignalK Server's `applicationData` API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The `validateAppId()` function blocks forward slashes (`/`) but not backslashes (`\`), which are treated as directory separators by `path.join()` on Windows. This enables attackers to escape the intended `applicationData` directory.
### Details
**Platform**: Windows (Linux only allows traversal up a single directory)
**Authentication Required**: Yes (ability to write depends on user's permission)
The vulnerability exists in the `validateAppId()` function within the applicationData API handler. This function validates
No detection rules found.
No public exploits indexed.
2026-02-02
Published