Signal K Server (for boats) before 2.19.0 allows unauthenticated attackers to hijack the backup restore function by polluting the internal restoreFilePath state via the /validateBackup endpoint. This enables overwriting security.json and other critical files to achieve OS command injection.
RCE
Signal K Server
NVD
GitHub
CVSS 3.1
9.6
EPSS
0.1%
Signal K Server before 2.19.0 exposes two features that chain together to steal JWT tokens without authentication: WebSocket-based request enumeration plus unauthenticated polling of access request status. An attacker can hijack admin sessions remotely. PoC available.
Authentication Bypass
Signal K Server
NVD
GitHub
CVSS 3.1
9.1
EPSS
0.1%