VYPR

Signalk Server

by Signalk

Source repositories

CVEs (15)

  • CVE-2026-33950CriApr 2, 2026
    risk 0.54cvss 9.4epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK…

  • CVE-2026-41893HigMay 9, 2026
    risk 0.42cvss 7.5epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via…

  • CVE-2026-39320HigApr 21, 2026
    risk 0.42cvss 7.5epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex…

  • CVE-2026-33951HigApr 2, 2026
    risk 0.42cvss 7.5epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT…

  • CVE-2026-35038MedApr 2, 2026
    risk 0.35cvss 6.5epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering…

  • CVE-2026-34083MedApr 2, 2026
    risk 0.33cvss 6.1epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri.…

  • CVE-2026-55591Jun 18, 2026
    risk 0.00cvss epss

    ### Summary signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery (SSRF) vulnerability in three administrative endpoints used for remote Signal K server connection management. The `makeRemoteRequest()` function accepts attacker-controlled…

  • CVE-2026-25228Feb 2, 2026
    risk 0.00cvss epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the…

  • CVE-2026-23515Feb 2, 2026
    risk 0.00cvss epss 0.04

    Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is…

  • CVE-2025-69203Jan 1, 2026
    risk 0.00cvss epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability enable convincing social engineering…

  • CVE-2025-68619Jan 1, 2026
    risk 0.00cvss epss 0.01

    Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package name exists in the npm…

  • CVE-2025-68620Jan 1, 2026
    risk 0.00cvss epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combines WebSocket-based request enumeration…

  • CVE-2025-68273Jan 1, 2026
    risk 0.00cvss epss 0.00

    Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial…

  • CVE-2025-68272Jan 1, 2026
    risk 0.00cvss epss 0.01

    Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request endpoint…

  • CVE-2025-66398Jan 1, 2026
    risk 0.00cvss epss 0.18

    Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the…