Vulnerabilities in SignalK
14 resultsCVE-2025-66398CRITICALSignal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)EPSS 17.9%CVE-2026-23515CRITICALRCE - Command Injection in Signal K set-system-time pluginEPSS 4.2%CVE-2025-68619HIGHSignal K Server Vulnerable to Remote Code Execution via Malicious npm PackageEPSS 0.6%CVE-2025-68272HIGHSignal K Server Vulnerable to Denial of Service via Unrestricted Access Request FloodingEPSS 0.5%CVE-2025-68620CRITICALSignal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated PollingEPSS 0.5%CVE-2026-39320HIGHSignal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription PathsEPSS 0.4%CVE-2026-33950CRITICALsignalk-server: Privilege Escalation by Admin Role Injection via /enableSecurityEPSS 0.4%CVE-2026-25228MEDIUMSignalK Server has Path Traversal leading to information disclosureEPSS 0.4%CVE-2025-68273MEDIUMSignal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed EndpointsEPSS 0.3%CVE-2026-41893HIGHSignal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)EPSS 0.3%CVE-2026-33951MEDIUMsignalk-server: Unauthenticated Source Priorities ManipulationEPSS 0.3%CVE-2026-35038LOWsignalk-server: Arbitrary Prototype Read via `from` Field BypassEPSS 0.3%CVE-2025-69203MEDIUMSignal K Server Vulnerable to Access Request SpoofingEPSS 0.3%CVE-2026-34083MEDIUMsignalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC FlowEPSS 0.1%