Skip to main content
CVE-2025-66398 CRITICAL POC PATCH GHSA Act Now

Signal K Server (for boats) before 2.19.0 allows unauthenticated attackers to hijack the backup restore function by polluting the internal restoreFilePath state via the /validateBackup endpoint. This enables overwriting security.json and other critical files to achieve OS command injection.

RCE Signal K Server
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-68620 CRITICAL POC PATCH Act Now

Signal K Server before 2.19.0 exposes two features that chain together to steal JWT tokens without authentication: WebSocket-based request enumeration plus unauthenticated polling of access request status. An attacker can hijack admin sessions remotely. PoC available.

Authentication Bypass Signal K Server
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy