CVE-2026-23515
Unknown Unknown - Not Provided
Command Injection in Signal K Server via set-system-time Plugin

Publication date: 2026-02-02

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-02
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23515
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
signalk signal_k_server to 1.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a command injection flaw in the Signal K Server application (prior to version 1.5.0). It allows authenticated users with write permissions to execute arbitrary shell commands on the server when the set-system-time plugin is enabled. Additionally, if security is disabled, unauthenticated users can also exploit this issue. The root cause is unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages.

Impact Analysis

This vulnerability can have severe impacts including full compromise of the Signal K Server. An attacker could execute arbitrary shell commands, potentially leading to complete control over the server, data theft, data corruption, or denial of service. The CVSS score of 9.9 indicates a critical severity with high impact on confidentiality, integrity, and availability.

Mitigation Strategies

Upgrade the Signal K Server to version 1.5.0 or later, as this version fixes the command injection vulnerability. Additionally, ensure that security is enabled on the Signal K server to prevent unauthenticated exploitation, and restrict write permissions to trusted authenticated users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart