Critical severityOSV Advisory· Published Feb 2, 2026· Updated Feb 3, 2026

RCE - Command Injection in Signal K set-system-time plugin

CVE-2026-23515

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@signalk/set-system-timenpm	< 1.5.0	1.5.0

Affected products

Signalk/Signalk ServerOSV
Range: 0.1.1, 0.1.10, 0.1.11, …

Patches

75b11eae2de5

fix: validate datetime format before shell interpolation

https://github.com/SignalK/set-system-timeKE GustafssonJan 11, 2026via ghsa

commit

1 file changed · +6 −0

index.js+6 −0 modified

@@ -61,6 +61,12 @@ module.exports = function (app) {
           console.error("Set-system-time supports only linux-like os's")
         } else {
           if( ! plugin.useNetworkTime(options) ){
+            // Validate datetime format to prevent command injection
+            if (!/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(\.\d+)?Z?$/.test(datetime)) {
+              lastMessage = 'Invalid datetime format received: ' + String(datetime).substring(0, 50)
+              logError(lastMessage)
+              return
+            }
             const useSudoFallback = typeof options.sudo === 'undefined' || options.sudo
             // Convert ISO 8601 datetime to format compatible with both GNU date and BusyBox date
             // e.g., "2024-01-10T17:55:03.000Z" → "2024-01-10 17:55:03"

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-p8gp-2w28-mhwgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-23515ghsaADVISORY
github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24ghsax_refsource_MISCWEB
github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwgghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.008
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000