cbcvebase.

Signalk Signalk-Server vulnerabilities

15 known vulnerabilities affecting signalk/signalk-server.

Total CVEs
15
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH8MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2025-66398P2HIGHCVSS 8.8fixed in 2.19.02026-01-01
CVE-2025-66398 [HIGH] CWE-78 CVE-2025-66398: Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19. Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server confi
ghsanvdosv
CVE-2025-68620P2CRITICALCVSS 9.1fixed in 2.19.02026-01-01
CVE-2025-68620 [CRITICAL] CWE-288 CVE-2025-68620: Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19 Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration with unauthenticated polling of access request status. The first is Unau
ghsanvdosv
CVE-2026-23515P2HIGHCVSS 8.8fixed in 1.5.02026-02-02
CVE-2026-23515 [HIGH] CWE-78 CVE-2026-23515: Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a comm Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is
nvd
CVE-2026-33950P2CRITICALCVSS 9.4fixed in 2.24.0-beta.42026-04-02
CVE-2026-33950 [CRITICAL] CWE-285 CVE-2026-33950: Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24. Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing d
ghsanvdosv
CVE-2026-33951P3HIGHCVSS 7.5fixed in 2.24.0-beta.12026-04-02
CVE-2026-33951 [HIGH] CWE-284 CVE-2026-33951: Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24. Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or author
ghsanvdosv
CVE-2025-69203P3HIGHCVSS 8.8fixed in 2.19.02026-01-01
CVE-2025-69203 [HIGH] CWE-290 CVE-2025-69203: Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19 Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it
ghsanvdosv
CVE-2025-68619P3HIGHCVSS 7.2fixed in 2.19.02026-01-01
CVE-2025-68619 [HIGH] CWE-94 CVE-2025-68619: Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19 Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm registry as a known plugin or webapp, the version parameter accepts arbitrary npm
ghsanvdosv
CVE-2026-41893P3HIGHCVSS 7.5fixed in 2.25.02026-05-09
CVE-2026-41893 [HIGH] CWE-307 CVE-2026-41893: Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25. Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password
ghsanvd
CVE-2025-68272P3HIGHCVSS 7.5fixed in 2.19.02026-01-01
CVE-2025-68272 [HIGH] CWE-400 CVE-2025-68272: Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (D Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint (`/signalk/v1/access/requests`). This causes a "JavaScript heap out of memory" error due to unbounded in
ghsanvdosv
CVE-2026-39320P3HIGHCVSS 7.5fixed in 2.25.02026-04-21
CVE-2026-39320 [HIGH] CWE-400 CVE-2026-39320: Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25 Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker
ghsanvd
CVE-2026-35038P3MEDIUMCVSS 6.5fixed in 2.24.02026-04-02
CVE-2026-35038 [MEDIUM] CWE-20 CVE-2026-35038: Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24. Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype o
ghsanvdosv
CVE-2025-68273P4MEDIUMCVSS 5.3fixed in 2.19.02026-01-01
CVE-2025-68273 [MEDIUM] CWE-200 CVE-2025-68273: Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated inf Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnais
ghsanvdosv
CVE-2026-34083P4MEDIUMCVSS 6.1fixed in 2.24.02026-04-02
CVE-2026-34083 [MEDIUM] CWE-346 CVE-2026-34083: Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24. Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an att
ghsanvdosv
CVE-2026-25228P4MEDIUMCVSS 4.3fixed in 2.20.32026-02-02
CVE-2026-25228 [MEDIUM] CWE-22 CVE-2026-25228: Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a pat Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not
ghsanvdosv
CVE-2026-55591MEDIUM≥ 0, < 2.28.02026-06-18
CVE-2026-55591 [MEDIUM] CWE-918 Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints ### Summary signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery (SSRF) vulnerability in three administrative endpoints used for remote Signal K server connection management. The `makeRemoteRequest()` function accepts attacker-controlled `host`, `port`, `useTLS`, and `selfsign
ghsa
Signalk Signalk-Server vulnerabilities | cvebase