CVE-2026-41893

Signal K Server’s WebSocket login path (via ws signalk/v1/stream) processes login attempts without rate limiting, enabling credential brute‑forcing at ~20 attempts/sec per WebSocket connection and bypassing HTTP rate limiting. Affected cve: CVE-2026-41893 concerns pre‑2.25.0 behavior. Technical d...

Regular Expression Denial of Service (ReDoS)

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the contextMatcher and pathMatcher functions. An attacker can cause the server to become unresponsive and exhaust CPU...

current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2026-39320 via signalk-server (=1.46.3)

signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2026-39320 Source advisory: OSV:GHSA-7GCJ-PHFF-2884...

GHSA-7GCJ-PHFF-2884 Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths

Summary The SignalK server is vulnerable to an unauthenticated Regular Expression Denial of Service ReDoS attack within its WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the context parameter of a stream subscription, an attacker can force the server's...

GHSA-CXJ8-GGF2-P57C Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Summary SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth...

Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Summary SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectUri configuration is silently unset by default, an attacker spoof the Host header to steal OAuth...

Origin Validation Error

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Origin Validation Error via the construction of the redirectUri and fullPostLogoutUri using an unvalidated Host header in the OIDC authentication and logout processe...

current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2026-33951 via signalk-server (=1.46.3)

signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2026-33951 Source advisory: OSV:GHSA-GFMV-VH34-H2X5...

EUVD-2026-18374

Signal K Server: Unauthenticated Source Priorities Manipulation...

Signal K Server: Unauthenticated Source Priorities Manipulation

Summary The SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns...

Missing Authentication for Critical Function

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the PUT /signalk/v1/api/sourcePriorities endpoint, which lacks authentication and directly assigns user input to...

current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2026-33950 via signalk-server (=1.46.3)

signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2026-33950 Source advisory: OSV:GHSA-X8HC-FQV3-7GWF...

EUVD-2026-18372

Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity...

Authentication Bypass Using an Alternate Path or Channel

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the /skServer/enableSecurity endpoint. An attacker can gain unauthorized administrative privileges by...

CVE-2026-33951

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT...

current-impact (=1.0.0), nmea-streamer (>=1.0.1 <=2.2.0) potentially affected by CVE-2026-35038 via signalk-server (=1.46.3)

signalk-server NPM version =1.46.3 is affected by a known vulnerability. The following packages have a transitive dependency on signalk-server and may be impacted: - current-impact =1.0.0 - nmea-streamer =1.0.1, =2.2.0 Source cves: CVE-2026-35038 Source advisory: OSV:GHSA-QH3J-MRG8-F234...

Out-of-bounds Read

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Out-of-bounds Read in the from field of JSON-patch operations. An attacker can access internal Node.js functions and prototype state by crafting a payload that targe...

CVE-2026-33951

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT...

CVE-2026-35038 signalk-server: Arbitrary Prototype Read via `from` Field Bypass

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via from field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal...

CVE-2026-35038

CVE-2026-35038 affects Signal K Server (prior to v2.24.0). Affected component: prototype boundary filtering in the global prototype object accessed via the from field, allowing a low-privileged authenticated user to bypass filtering and read internal functions/properties, violating data isolation...