CVE-2026-4974

A flaw has been found in Tenda AC7 15.03.06.44. Affected by this issue is the function fromSetSysTime of the file /goform/SetSysTimeCfg of the component POST Request Handler. Executing a manipulation of the argument Time can lead to stack-based buffer overflow. It is possible to launch the attack...

CVE-2026-4974 Tenda AC7 POST Request SetSysTimeCfg fromSetSysTime memory corruption

A flaw has been found in Tenda AC7 15.03.06.44. Affected by this issue is the function fromSetSysTime of the file /goform/SetSysTimeCfg of the component POST Request Handler. Executing a manipulation of the argument Time can lead to stack-based buffer overflow. It is possible to launch the attack...

EUVD-2026-14165

Signal K set-system-time plugin vulnerable to RCE - Command Injection...

Command Injection

@signalk/set-system-time, is vulnerable to command injection. The vulnerability is due to unsafe construction of shell commands while processing navigation.datetime values via WebSocket delta messages, which allows an attacker with write access or unauthenticated access when security is disabled ...

CVE-2026-23515

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...

CVE-2026-23515

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...

CVE-2026-23515

The CVE affects Signal K Server’s set-system-time plugin, with exploitation possible before version 1.5.0. Authenticated users with write permissions (or any user if server security is disabled) can trigger command injection by sending crafted navigation.datetime values via WebSocket delta messag...

CVE-2026-23515 RCE - Command Injection in Signal K set-system-time plugin

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...

CVE-2026-23515 RCE - Command Injection in Signal K set-system-time plugin

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...

CVE-2026-23515 RCE - Command Injection in Signal K set-system-time plugin

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...

CVE-2026-23515

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...

signalk-server (>=1.0.0 <=1.1.2) potentially affected by CVE-2026-23515 via @signalk/set-system-time (>=1.0.0 <=1.2.0)

@signalk/set-system-time NPM version =1.0.0, =1.0.0, =1.1.2 Source cves: CVE-2026-23515 Source advisory: SNYK:JS-SIGNALKSETSYSTEMTIME-15182653...

signalk-server (>=1.0.0 <=1.1.2) potentially affected by CVE-2026-23515 via @signalk/set-system-time (>=1.0.0 <=1.2.0)

@signalk/set-system-time NPM version =1.0.0, =1.0.0, =1.1.2 Source cves: CVE-2026-23515 Source advisory: OSV:GHSA-P8GP-2W28-MHWG...

Command Injection

Overview @signalk/set-system-time is a Signal K server plugin to set system date & time on Signal K data, usually from a GPS Affected versions of this package are vulnerable to Command Injection via the stream.onValue function. An attacker can execute arbitrary shell commands on the server by...

GHSA-P8GP-2W28-MHWG Signal K set-system-time plugin vulnerable to RCE - Command Injection

Summary A Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K...

Signal K set-system-time plugin vulnerable to RCE - Command Injection

Summary A Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K...

PT-2026-5713

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 1.5.0 Signal K Set-System-Time plugin versions prior to 1.5.0 Description A command injection issue exists in the Signal K Server and its Set-System-Time plugin. Authenticated users with write permissions can...

EUVD-2025-48945

Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow via the time parameter in the SetSysTimeCfg function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted request...

CVE-2025-55603

Tenda AX3 V16.03.12.10CN is vulnerable to Buffer Overflow in the fromSetSysTime function via the ntpServer parameter...

CVE-2025-55603

CVE-2025-55603 affects Tenda AX3 V16.03.12.10_CN. The vulnerability is a buffer overflow in the fromSetSysTime function triggered by the ntpServer parameter, as described across multiple sources (CNVD/CNNVD/RH/NVD). Impact is high: potential instability or crash (DoS) with high confidentiality/in...