Lucene search
K

58 matches found

CVE
CVE
added 2026/04/02 4:20 p.m.8 views

CVE-2026-35038

CVE-2026-35038 affects Signal K Server (prior to v2.24.0). Affected component: prototype boundary filtering in the global prototype object accessed via the from field, allowing a low-privileged authenticated user to bypass filtering and read internal functions/properties, violating data isolation...

6.5CVSS5.9AI score0.00308EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/04/02 4:14 p.m.16 views

CVE-2026-34083 signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...

6.1CVSS0.00112EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/04/02 4:14 p.m.2 views

CVE-2026-34083 signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirecturi. Because the redirectU...

6.1CVSS5.9AI score0.00112EPSS
Exploits1References2
CVE
CVE
added 2026/04/02 4:14 p.m.13 views

CVE-2026-34083

Signal K Server (signalk-server) prior to v2.24.0 contains a code-level vulnerability in its OIDC login/logout flow where an unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because redirectUri is silently unset by default, an attacker can spoof the Host header to direct...

6.1CVSS5.9AI score0.00112EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/04/02 4:11 p.m.16 views

CVE-2026-33951

Signal K Server (boat hub) exposes an unauthenticated HTTP endpoint PUT /signalk/v1/api/sourcePriorities that directly assigns user input to the server configuration, enabling attackers to modify navigation data source priorities. The issue is triggered by missing authentication/authorization and...

7.5CVSS5.8AI score0.0031EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/02 4:8 p.m.18 views

CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...

9.4CVSS0.00418EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/02 4:8 p.m.6 views

CVE-2026-33950

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...

9.4CVSS5.8AI score0.00418EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/02 4:8 p.m.5 views

CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...

9.4CVSS5.9AI score0.00418EPSS
Exploits1References2
CVE
CVE
added 2026/04/02 4:8 p.m.11 views

CVE-2026-33950

SignalK server (signalk-server) is affected. Before version 2.24.0-beta.4, there is a privilege escalation via Admin Role Injection through /enableSecurity. An unauthenticated attacker can gain full Administrator access to the server, potentially modifying vessel routing data, server configuratio...

9.4CVSS5.8AI score0.00418EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.4 views

PT-2026-29796

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.24.0-beta.4 Description Signal K Server, a server application used in marine navigation systems, contains a privilege escalation issue. An unauthenticated attacker can exploit this to gain full Administrator...

9.4CVSS5.9AI score0.00418EPSS
Exploits1References9
RedhatCVE
RedhatCVE
added 2026/02/04 3:15 a.m.5 views

CVE-2026-25228

Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The...

5CVSS5.5AI score0.00384EPSS
Exploits1References1
CVE
CVE
added 2026/02/02 11:2 p.m.14 views

CVE-2026-25228

CVE-2026-25228 affects SignalK Server. Before 2.20.3, a path traversal flaw in the Windows-variant applicationData API allows authenticated users to read, write, and list arbitrary files and directories due to validateAppId() not filtering backslashes, which Windows path.join() uses as separators...

5CVSS5.6AI score0.00384EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/02 11:2 p.m.3 views

CVE-2026-25228 SignalK Server has Path Traversal leading to information disclosure

Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The...

5CVSS5.6AI score0.00384EPSS
Exploits1References2
OSV
OSV
added 2026/02/02 11:2 p.m.4 views

CVE-2026-25228 SignalK Server has Path Traversal leading to information disclosure

Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The...

5CVSS5.6AI score0.00384EPSS
Exploits1References4
Snyk
Snyk
added 2026/02/02 10:26 p.m.2 views

Directory Traversal

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Directory Traversal via improper validation in the validateAppId function. An attacker can access arbitrary files and directories outside the intended directory by...

5.4CVSS6.5AI score0.00384EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/02/02 10:26 p.m.9 views

SignalK Server has Path Traversal leading to information disclosure

Summary A Path Traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId function blocks forward slashes / but not backslashes , which are treated as...

5CVSS5.7AI score0.00384EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/02/02 10:26 p.m.4 views

GHSA-VRHW-V2HW-JFFX SignalK Server has Path Traversal leading to information disclosure

Summary A Path Traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId function blocks forward slashes / but not backslashes , which are treated as...

5CVSS5.7AI score0.00384EPSS
Exploits1References4
vulnersOsv
vulnersOsv
added 2026/02/02 6:10 p.m.7 views

signalk-server (>=1.0.0 <=1.1.2) potentially affected by CVE-2026-23515 via @signalk/set-system-time (>=1.0.0 <=1.2.0)

@signalk/set-system-time NPM version =1.0.0, =1.0.0, =1.1.2 Source cves: CVE-2026-23515 Source advisory: OSV:GHSA-P8GP-2W28-MHWG...

9.9CVSS5.8AI score0.04163EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2026/02/02 6:10 p.m.4 views

signalk-server (>=1.0.0 <=1.1.2) potentially affected by CVE-2026-23515 via @signalk/set-system-time (>=1.0.0 <=1.2.0)

@signalk/set-system-time NPM version =1.0.0, =1.0.0, =1.1.2 Source cves: CVE-2026-23515 Source advisory: SNYK:JS-SIGNALKSETSYSTEMTIME-15182653...

9.9CVSS5.8AI score0.04163EPSS
Exploits1
Veracode
Veracode
added 2026/01/07 2:51 p.m.5 views

Denial Of Service (DoS)

signalk-server is vulnerable to Denial of Service DoS. The vulnerability is due to unbounded in-memory storage of access request objects at the /signalk/v1/access/requests endpoint, which allows an unauthenticated attacker to flood the endpoint and crash the server through memory exhaustion...

7.5CVSS7.2AI score0.00519EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder