CVE-2026-23515HIGH 8.8EPSS p89.6%

CVE-2026-23515CVE-2026-23515

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS4.16% probability of exploitation · percentile 89.6% · 2026-06-19T12:03:05Z
Published2026-02-02
Last modified2026-02-27

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24
  2. https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33950
CVE
CVE-2025-66398
CVE
CVE-2025-68620
CVE
CVE-2025-69203
CVE
CVE-2025-60960
CVE
CVE-2025-60963
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.