58 matches found
CVE-2026-35038
CVE-2026-35038 affects Signal K Server (prior to v2.24.0). Affected component: prototype boundary filtering in the global prototype object accessed via the from field, allowing a low-privileged authenticated user to bypass filtering and read internal functions/properties, violating data isolation...
CVE-2026-34083 signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...
CVE-2026-34083 signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...
CVE-2026-34083
Signal K Server (signalk-server) prior to v2.24.0 contains a code-level vulnerability in its OIDC login/logout flow where an unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because redirectUri is silently unset by default, an attacker can spoof the Host header to direct...
CVE-2026-33951
Signal K Server (boat hub) exposes an unauthenticated HTTP endpoint PUT /signalk/v1/api/sourcePriorities that directly assigns user input to the server configuration, enabling attackers to modify navigation data source priorities. The issue is triggered by missing authentication/authorization and...
CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...
CVE-2026-33950
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...
CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...
CVE-2026-33950
SignalK server (signalk-server) is affected. Before version 2.24.0-beta.4, there is a privilege escalation via Admin Role Injection through /enableSecurity. An unauthenticated attacker can gain full Administrator access to the server, potentially modifying vessel routing data, server configuratio...
PT-2026-29796
Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.24.0-beta.4 Description Signal K Server, a server application used in marine navigation systems, contains a privilege escalation issue. An unauthenticated attacker can exploit this to gain full Administrator...
CVE-2026-25228
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The...
CVE-2026-25228
CVE-2026-25228 affects SignalK Server. Before 2.20.3, a path traversal flaw in the Windows-variant applicationData API allows authenticated users to read, write, and list arbitrary files and directories due to validateAppId() not filtering backslashes, which Windows path.join() uses as separators...
CVE-2026-25228 SignalK Server has Path Traversal leading to information disclosure
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The...
CVE-2026-25228 SignalK Server has Path Traversal leading to information disclosure
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The...
Directory Traversal
Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Directory Traversal via improper validation in the validateAppId function. An attacker can access arbitrary files and directories outside the intended directory by...
SignalK Server has Path Traversal leading to information disclosure
Summary A Path Traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId function blocks forward slashes / but not backslashes , which are treated as...
GHSA-VRHW-V2HW-JFFX SignalK Server has Path Traversal leading to information disclosure
Summary A Path Traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId function blocks forward slashes / but not backslashes , which are treated as...
signalk-server (>=1.0.0 <=1.1.2) potentially affected by CVE-2026-23515 via @signalk/set-system-time (>=1.0.0 <=1.2.0)
@signalk/set-system-time NPM version =1.0.0, =1.0.0, =1.1.2 Source cves: CVE-2026-23515 Source advisory: OSV:GHSA-P8GP-2W28-MHWG...
signalk-server (>=1.0.0 <=1.1.2) potentially affected by CVE-2026-23515 via @signalk/set-system-time (>=1.0.0 <=1.2.0)
@signalk/set-system-time NPM version =1.0.0, =1.0.0, =1.1.2 Source cves: CVE-2026-23515 Source advisory: SNYK:JS-SIGNALKSETSYSTEMTIME-15182653...
Denial Of Service (DoS)
signalk-server is vulnerable to Denial of Service DoS. The vulnerability is due to unbounded in-memory storage of access request objects at the /signalk/v1/access/requests endpoint, which allows an unauthenticated attacker to flood the endpoint and crash the server through memory exhaustion...