CVE-2026-23515
moderate-risk
Published 2026-02-02
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.
Do I need to act?
~
9.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: f4bdeea61261185993d68a87f96996e7790bef22, 83016dc0c56c19670e0f9d202a293964fcfcd972
9
CVSS 9.9/10
Critical
NETWORK
/ LOW complexity
Affected Products (1)
Signal K Server
Affected Vendors
49
/ 100
moderate-risk
Severity
33/34 · Critical
Exploitability
11/34 · Low
Exposure
5/34 · Minimal