CVE-2026-25228

Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.

CVSS v3 5.0 MEDIUM

5.0^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7
https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx

Configurations

No configuration.

History

No history.

Information

Published : 2026-02-02 23:16

Updated : 2026-02-03 16:44

NVD link : CVE-2026-25228

Mitre link : CVE-2026-25228

CVE.ORG link : CVE-2026-25228

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

5.0 /10