CVE-2026-25228

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25228
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.

5.0 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7 Patch
https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx Exploit Vendor Advisory Mitigation
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
History

20 Feb 2026, 15:13

Type Values Removed Values Added
References () https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7 - () https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7 - Patch
References () https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx - () https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx - Exploit, Vendor Advisory, Mitigation
First Time Signalk signal K Server
Signalk
Microsoft
Microsoft windows
Summary
  • (es) Signal K Server es una aplicación de servidor que se ejecuta en un concentrador central en un barco. Antes de la versión 2.20.3, una vulnerabilidad de salto de ruta en la API applicationData de SignalK Server permite a los usuarios autenticados en sistemas Windows leer, escribir y listar archivos y directorios arbitrarios en el sistema de archivos. La función validateAppId() bloquea las barras diagonales (/) pero no las barras invertidas (\), que son tratadas como separadores de directorio por path.join() en Windows. Esto permite a los atacantes escapar del directorio applicationData previsto. Esta vulnerabilidad está corregida en la versión 2.20.3.
CPE cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

02 Feb 2026, 23:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-02 23:16

Updated : 2026-02-20 15:13

NVD link : CVE-2026-25228

Mitre link : CVE-2026-25228

CVE.ORG link : CVE-2026-25228

JSON object : View

Products Affected

signalk

  • signal_k_server

microsoft

  • windows
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')