Origin Validation Error

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Origin Validation Error via the construction of the redirectUri and fullPostLogoutUri using an unvalidated Host header in the OIDC authentication and logout processe...

EUVD-2026-18374

Signal K Server: Unauthenticated Source Priorities Manipulation...

CVE-2026-35038

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via from field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal...

Out-of-bounds Read

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Out-of-bounds Read in the from field of JSON-patch operations. An attacker can access internal Node.js functions and prototype state by crafting a payload that targe...

EUVD-2026-18396

Signal K Server: Arbitrary Prototype Read via from Field Bypass...

CVE-2026-33951

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT...

CVE-2026-33950

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...

CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...

CVE-2026-33950 signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time...

CVE-2026-33950

SignalK server (signalk-server) is affected. Before version 2.24.0-beta.4, there is a privilege escalation via Admin Role Injection through /enableSecurity. An unauthenticated attacker can gain full Administrator access to the server, potentially modifying vessel routing data, server configuratio...

PT-2026-29804

Summary The /signalk/v1/applicationData/... JSON-patch endpoint allows users to modify stored application data. To prevent Prototype Pollution, the developers implemented an isPrototypePollutionPath guard. However, this guard only checks the path property of incoming JSON-patch objects. It...

OPENSUSE-SU-2026:10270-1 gosec-2.24.0-1.1 on GA media

These are all security issues fixed in the gosec-2.24.0-1.1 package on the GA media of openSUSE Tumbleweed...

GeoServer 2.24.0 < 2.24.2 Path Traversal

According to its banner, the version of GeoServer running on the remote host is prior to 2.23.5 or 2.24.0 prior to 2.24.2. It is, therefore, affected by an Arbitrary File Renaming. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported...

Exploit for Code Injection in Geoserver

CVE-2024-36401-poc CVE-2024-36401 is a high-risk remote code...

CVE-2024-30264

Typebot is affected by a reflected XSS in the sign-in page, exploitable via the redirectPath URL parameter if it uses a javascript scheme. This can allow an attacker to execute arbitrary JavaScript with the user’s privileges, potentially hijacking accounts. The issue affects Typebot versions prio...

CVE-2024-30264 typebot.io: `GHSL-2024-040`

Typebot is an open-source chatbot builder. A reflected cross-site scripting XSS in the sign-in page of typebot.io prior to version 2.24.0 may allow an attacker to hijack a user's account. The sign-in page takes the redirectPath parameter from the URL. If a user clicks on a link where the...

Typebot 安全漏洞

Typebot is an open source chatbot builder by the individual developer Baptiste Arnaud. A security vulnerability exists in Typebot versions prior to 2.24.0, which stems from the presence of a Reflected Cross-Site Scripting XSS vulnerability...

PT-2024-23307

Name of the Vulnerable Software and Affected Versions Typebot versions prior to 2.24.0 Description A reflected cross-site scripting XSS issue in the sign-in page of typebot.io may allow an attacker to hijack a user's account. The sign-in page takes the redirectPath parameter from the URL. If a us...

GiveWP < 2.24.0 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks givemultiformgoal image='"...

PT-2022-22680 · Apache · Apache Activemq Artemis

Name of the Vulnerable Software and Affected Versions: Apache ActiveMQ Artemis versions prior to 2.24.0 Description: An issue exists where an attacker could display malicious content and/or redirect users to a malicious URL in the web console by using HTML in the name of an address or queue...