Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.

INFO

Published Date :

2026-02-02T20:43:32.219Z

Last Modified :

2026-02-03T15:32:04.099Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-23515 vulnerability.

Vendors Products
Signalk
  • Signal K Server
  • Signalk-server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-23515.

URL Resource
https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24 cve-icon cve-icon
https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact