← Retour aux CVEs
CVE-2026-23515
CRITICAL9.9
Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.
Details CVE
Score CVSS v3.19.9
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisLOW
Interaction utilisateurNONE
Publie2/2/2026
Derniere modification2/27/2026
Sourcenvd
Observations honeypot0
Produits affectes
signalk:signal_k_server
Faiblesses (CWE)
CWE-78
References
https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24(security-advisories@github.com)
https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.