Origin Validation Error

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Origin Validation Error via the construction of the redirectUri and fullPostLogoutUri using an unvalidated Host header in the OIDC authentication and logout processe...

EUVD-2026-18374

Signal K Server: Unauthenticated Source Priorities Manipulation...

Missing Authentication for Critical Function

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the PUT /signalk/v1/api/sourcePriorities endpoint, which lacks authentication and directly assigns user input to...

CVE-2026-35038

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via from field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal...

Out-of-bounds Read

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Out-of-bounds Read in the from field of JSON-patch operations. An attacker can access internal Node.js functions and prototype state by crafting a payload that targe...

EUVD-2026-18396

Signal K Server: Arbitrary Prototype Read via from Field Bypass...

CVE-2026-35038 signalk-server: Arbitrary Prototype Read via `from` Field Bypass

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via from field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal...

CVE-2026-34083 signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...

CVE-2026-34083

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...

CVE-2026-33951

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT...

CVE-2026-33950

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...

CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...

CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...

CVE-2026-33950

SignalK server (signalk-server) is affected. Before version 2.24.0-beta.4, there is a privilege escalation via Admin Role Injection through /enableSecurity. An unauthenticated attacker can gain full Administrator access to the server, potentially modifying vessel routing data, server configuratio...

PT-2026-29796

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.24.0-beta.4 Description Signal K Server, a server application used in marine navigation systems, contains a privilege escalation issue. An unauthenticated attacker can exploit this to gain full Administrator...

PT-2026-29804

Summary The /signalk/v1/applicationData/... JSON-patch endpoint allows users to modify stored application data. To prevent Prototype Pollution, the developers implemented an isPrototypePollutionPath guard. However, this guard only checks the path property of incoming JSON-patch objects. It...

Signal K Server 信息泄露漏洞

The Signal K Server is an open-source marine central server developed by Signal K. Versions of the Signal K Server prior to 2.24.0 contained a vulnerability related to information leakage. This vulnerability stemmed from the from field bypassing the prototype boundary filtering mechanism, which...

PT-2026-29798

Summary SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect uri. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAut...

OPENSUSE-SU-2026:10270-1 gosec-2.24.0-1.1 on GA media

These are all security issues fixed in the gosec-2.24.0-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2025-58356

Constellation uses LUKS2-encrypted volumes for persistent storage in a Confidential Kubernetes setup. The vulnerability arises when opening an encrypted device via crypt_activate_by_passhrase because cryptsetup 2.8.1 mishandles null keyslot algorithms, which can cause a volume to be opened withou...