Skip to main content

Signal K Server CVE-2026-23515

CRITICAL
OS Command Injection (CWE-78)
2026-02-02 security-advisories@github.com GHSA-p8gp-2w28-mhwg
Command Injection Signal K Server
9.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:01 vuln.today
PoC Detected
Feb 27, 2026 - 13:46 vuln.today
Public exploit code
Patch released
Feb 27, 2026 - 13:46 nvd
Patch available
CVE Published
Feb 02, 2026 - 23:16 nvd
CRITICAL 9.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 3 npm packages depend on @signalk/set-system-time (1 direct, 2 indirect)

Ecosystem-wide dependent count for version 1.5.0.

DescriptionGitHub Advisory

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.

AnalysisAI

Command injection in Signal K Server (maritime navigation) before 1.5.0 allows authenticated users to execute OS commands. EPSS 4.96% with PoC and patch available.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted WebSocket delta message
Exploit
Inject shell commands in navigation.datetime value
Execution
set-system-time plugin processes unsafe command
Impact
Execute arbitrary shell commands on server
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Signal K Server version prior to 1.5.0 with set-system-time plugin enabled. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 9.9, EPSS 4.96%. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario Authenticated user on the boat's network injects commands through Signal K, gaining control of the navigation server and connected instruments.
Remediation Update to Signal K Server 1.5.0. Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Signal K Server instances in your environment and determine which have the set-system-time plugin enabled; isolate affected systems from critical networks if patching cannot be completed immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-23515 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy