5
CVE-2026-25228
- EPSS 0.38%
- Veröffentlicht 02.02.2026 23:16:10
- Zuletzt bearbeitet 20.02.2026 15:13:59
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginSignalK Server has Path Traversal leading to information disclosure
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Signalk ≫ Signal K Server Version < 2.20.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.38% | 0.3 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
| security-advisories@github.com | 5 | 3.1 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
|
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7
https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx