CRITICAL9.6CVE-2025-66398Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE) from 0, < 2.19.0
CRITICAL9.4CVE-2026-33950Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity from 0, < 2.24.0-beta.4
CRITICAL9.1CVE-2025-68620Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling from 0, < 2.19.0
HIGH7.5Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths
from 0, < 2.25.0
HIGH7.5Signal K Server: Unauthenticated Source Priorities Manipulation
from 0, < 2.24.0-beta.1
HIGH7.5Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
from 0, < 2.19.0
HIGH7.2Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
from 0, < 2.9.0
MEDIUM6.3Signal K Server Vulnerable to Access Request Spoofing
from 0, < 2.19.0
MEDIUM6.1Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
>= 2.20.0, < 2.24.0
MEDIUM5.3Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints
from 0, < 2.19.0
MEDIUM5.0SignalK Server has Path Traversal leading to information disclosure
from 0, < 2.20.3
—Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)
from 0, < 2.25.0
—Signal K Server: Arbitrary Prototype Read via `from` Field Bypass
from 0, < 2.24.0