signalk-server — Vulnerabilities & Security Advisories 13

All 13 CVE vulnerabilities found in signalk-server, with AI-generated Chinese analysis, references, and POCs.

Vendor: SignalK

CVE ID	Title	CVSS	Severity	Published
CVE-2026-39320	Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths CWE-400	7.5	High	2026-04-21
CVE-2026-35038	signalk-server: Arbitrary Prototype Read via `from` Field Bypass CWE-20	6.5^AI	Medium^AI	2026-04-02
CVE-2026-34083	signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow CWE-346	6.1	Medium	2026-04-02
CVE-2026-33951	signalk-server: Unauthenticated Source Priorities Manipulation CWE-284	7.5^AI	High^AI	2026-04-02
CVE-2026-33950	signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity CWE-285	9.4	Critical	2026-04-02
CVE-2026-25228	SignalK Server has Path Traversal leading to information disclosure CWE-22	5.0	Medium	2026-02-02
CVE-2026-23515	RCE - Command Injection in Signal K set-system-time plugin CWE-78	10.0	Critical	2026-02-02
CVE-2025-69203	Signal K Server Vulnerable to Access Request Spoofing CWE-290	6.3	Medium	2026-01-01
CVE-2025-68619	Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package CWE-94	9.1	-	2026-01-01
CVE-2025-68620	Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling CWE-288	9.1	Critical	2026-01-01
CVE-2025-68273	Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints CWE-200	5.3	Medium	2026-01-01
CVE-2025-68272	Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding CWE-400	7.5	High	2026-01-01
CVE-2025-66398	Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) CWE-78	9.7	Critical	2026-01-01

All 13 known CVE vulnerabilities affecting signalk-server with full Chinese analysis, references, and POCs where available.