{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23515", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T18:22:43.979Z", "datePublished": "2026-02-02T20:43:32.219Z", "dateUpdated": "2026-02-03T15:32:04.099Z"}, "containers": {"cna": {"title": "RCE - Command Injection in Signal K set-system-time plugin", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg"}, {"name": "https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24", "tags": ["x_refsource_MISC"], "url": "https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24"}], "affected": [{"vendor": "SignalK", "product": "signalk-server", "versions": [{"version": "< 1.5.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T20:43:32.219Z"}, "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0."}], "source": {"advisory": "GHSA-p8gp-2w28-mhwg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:31:29.337956Z", "id": "CVE-2026-23515", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:32:04.099Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "RCE - Command Injection in Signal K set-system-time plugin", "source": {"advisory": "GHSA-p8gp-2w28-mhwg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "SignalK", "product": "signalk-server", "versions": [{"status": "affected", "version": "< 1.5.0"}]}], "references": [{"url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg", "name": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24", "name": "https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-02T20:43:32.219Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23515", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T15:31:29.337956Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-03T15:31:50.537Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-23515", "state": "PUBLISHED", "dateUpdated": "2026-02-02T20:43:32.219Z", "dateReserved": "2026-01-13T18:22:43.979Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-02T20:43:32.219Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDF10E0C-7592-4369-B442-85E6DE5945C6", "versionEndExcluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0."}, {"lang": "es", "value": "Signal K Server es una aplicaci\u00f3n de servidor que se ejecuta en un concentrador central en una embarcaci\u00f3n. Previo a 1.5.0, una vulnerabilidad de inyecci\u00f3n de comandos permite a usuarios autenticados con permisos de escritura ejecutar comandos de shell arbitrarios en el servidor Signal K cuando el plugin set-system-time est\u00e1 habilitado. Usuarios no autenticados tambi\u00e9n pueden explotar esta vulnerabilidad si la seguridad est\u00e1 deshabilitada en el servidor Signal K. Esto ocurre debido a una construcci\u00f3n insegura de comandos de shell al procesar valores de navigation.datetime recibidos a trav\u00e9s de mensajes delta de WebSocket. Esta vulnerabilidad est\u00e1 corregida en 1.5.0."}], "id": "CVE-2026-23515", "lastModified": "2026-02-27T13:46:54.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-02T23:16:07.190", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T00:31:45.553650+00:00", "value": {"mitigation_remediation": ["Upgrade Signal K Server to version 1.5.0 or later, which contains the command\u2011injection fix.", "Disable the set-system-time plugin if it is not required for vessel operations.", "Enable and enforce the Signal K Server\u2019s authentication and write\u2011permission policies so that only trusted users can modify data, and activate the security feature to block unauthenticated access.", "Monitor WebSocket traffic for unexpected navigation.datetime updates and configure alerts for suspicious messages."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Signal K Server versions earlier than 1.5.0 that have the set-system-time plugin enabled are affected. The issue manifests on any installation of the signalk-server where the plugin is active, typically on the central data hub that aggregates vessel information via WebSocket.", "description_and_impact": "The vulnerability arises from unsafe construction of shell commands when the set-system-time plugin processes navigation.datetime values received via WebSocket delta messages. An attacker who can write to the server or who can bypass the security mechanisms can send specially crafted data that is interpreted as shell commands, allowing execution of arbitrary code on the host running Signal K Server. This is a classic command\u2011injection flaw (CWE\u201178) that grants full remote code execution and could compromise the entire boat\u2019s network, data, and control systems.", "risk_and_exploitability": "The CVSS base score is 10, indicating the worst possible severity. The EPSS score of 10% suggests a non\u2011negligible likelihood that attackers will attempt this exploit. Although it is not yet listed in the CISA KEV catalog, the combination of a high CVSS, a 10% EPSS, and the ability to exploit from both authenticated and unauthenticated contexts through WebSocket messages points to a high risk that is likely exploitable in operational environments where the set-system-time plugin is enabled and security is misconfigured or turned off."}}}}, "created": "2026-02-04T12:18:00.656638+00:00", "updated": "2026-04-18T00:45:32.229591+00:00", "vendors": ["signalk", "signalk$PRODUCT$signal_k_server", "signalk$PRODUCT$signalk-server"]}