signalk-server
npm10 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting signalk-serverpage 1 of 1
- CVE-2025-66398CRITICALCVSS 9.6EG 9.6✓ Fixed in 2.19.02026-01-01
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint…
- CVE-2025-68620CRITICALCVSS 9.1EG 9.1✓ Fixed in 2.19.02026-01-01
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 expose two features that can be chained together to steal JWT authentication tokens without any prior authentication. The attack combine…
- CVE-2025-69203MEDIUMCVSS 6.3EG 6.3✓ Fixed in 2.19.02026-01-01
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the access request system have two related features that when combined by themselves and with an information disclosure vulnerability…
- CVE-2026-25228MEDIUMCVSS 5.0EG 5.0✓ Fixed in 2.20.32026-02-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list ar…
- CVE-2026-33950CRITICALCVSS 9.4EG 9.4✓ Fixed in 2.24.0-beta.42026-04-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain f…
- CVE-2026-33951HIGHCVSS 7.5EG 7.5✓ Fixed in 2.24.0-beta.12026-04-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorit…
- CVE-2026-34083MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.24.02026-04-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used …
- CVE-2026-35038MEDIUMCVSS 6.5EG 6.5✓ Fixed in 2.24.02026-04-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated use…
- CVE-2026-39320HIGHCVSS 7.5EG 7.5✓ Fixed in 2.25.02026-04-21
Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logi…
- CVE-2026-41893HIGHCVSS 7.5EG 7.5✓ Fixed in 2.25.02026-05-09
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10…
Check whether signalk-server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for signalk-server CVEs against the assets you own.
Start Free Scan →