signalk-server
npm14 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting signalk-serverpage 1 of 1
- CVE-2025-66398CRITICALCVSS 9.6EG 9.6✓ Fixed in 2.19.02026-01-01
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint…
- CVE-2025-68272HIGHCVSS 7.5EG 7.5✓ Fixed in 2.19.02026-01-01
Signal K Server is a server application that runs on a central hub in a boat. A Denial of Service (DoS) vulnerability in versions prior to 2.19.0 allows an unauthenticated attacker to crash the SignalK Server by flooding the access request…
- CVE-2025-68273MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.19.02026-01-01
Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full …
- CVE-2025-68619HIGHCVSS 7.2EG 7.2✓ Fixed in 2.9.02026-01-01
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that th…
- CVE-2025-68620CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.19.02026-01-01
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combine…
- CVE-2025-69203MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2.19.02026-01-01
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability…
- CVE-2026-25228MEDIUMCVSS 5.0EG 5.0✓ Fixed in 2.20.32026-02-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list ar…
- CVE-2026-33950CRITICALCVSS 9.4EG 9.4✓ Fixed in 2.24.0-beta.42026-04-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain f…
- CVE-2026-33951HIGHCVSS 7.5EG 7.5✓ Fixed in 2.24.0-beta.12026-04-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorit…
- CVE-2026-34083MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.24.02026-04-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used …
- CVE-2026-35038MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.24.02026-04-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated use…
- CVE-2026-39320HIGHCVSS 7.5EG 7.5✓ Fixed in 2.25.02026-04-21
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logi…
- CVE-2026-41893HIGHCVSS 7.5EG 7.5✓ Fixed in 2.25.02026-05-09
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10…
- CVE-2026-55591MEDIUMCVSS 5.8EG 5.8✓ Fixed in 2.28.02026-06-18
Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints ### Summary signalk-server versions up to and including 2.27.0 contain a Server-Side Request Forgery (SSRF) vulnerability in three administrative endpoints used …
Check whether signalk-server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for signalk-server CVEs against the assets you own.
Start Free Scan →