Medium severity6.5NVD Advisory· Published Apr 2, 2026· Updated Apr 29, 2026
CVE-2026-35038
CVE-2026-35038
Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via from field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
signalk-servernpm | < 2.24.0 | 2.24.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-qh3j-mrg8-f234ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-35038ghsaADVISORY
- github.com/SignalK/signalk-server/releases/tag/v2.24.0nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.