CVE-2026-25228
- Source
- https://cve.org/CVERecord?id=CVE-2026-25228
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25228.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-25228
- Aliases
- Published
- 2026-02-02T23:02:52.062Z
- Modified
- 2026-03-01T02:57:14.158070Z
- Severity
-
- 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
- Summary
- SignalK Server has Path Traversal leading to information disclosure
- Details
-
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25228.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-22" ] }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25228.json
- https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7
- https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx
- https://nvd.nist.gov/vuln/detail/CVE-2026-25228
Affected packages
Git / github.com/signalk/signalk-server
Affected ranges
- Type
- GIT
- Repo
- https://github.com/signalk/signalk-server
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1.1
0.1.10
0.1.11
0.1.12
0.1.13
0.1.18
0.1.19
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
Other
latest
v0.*
v0.1.24
v0.1.26
v0.1.27
v0.1.28
v0.1.29
v0.1.30
v0.1.33
v1.*
v1.0.0
v1.0.0-0
v1.0.0-1
v1.0.0-2
v1.0.0-3
v1.0.0-4
v1.1.0
v1.1.1
v1.1.2
v1.10.0
v1.10.1
v1.10.2
v1.12.0
v1.13.0
v1.13.1
v1.14.0
v1.15.0
v1.16.0
v1.17.0
v1.18.0
v1.19.0
v1.19.0-beta.2
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.2.4
v1.20.0
v1.21.0
v1.22.0
v1.23.0
v1.24.0
v1.25.0
v1.26.0
v1.27.0
v1.27.1
v1.28.0
v1.29.0
v1.3.0
v1.30.0
v1.31.0
v1.32.0
v1.32.0-beta.1
v1.32.0-beta.2
v1.32.0-beta.3
v1.33.0
v1.33.0-beta.1
v1.34.0
v1.35.0
v1.35.1
v1.35.2
v1.36.0
v1.36.0-beta.1
v1.36.0-beta.2
v1.36.0-beta.3
v1.37.0
v1.37.0-beta.1
v1.37.0-beta.3
v1.37.1
v1.37.2
v1.37.3
v1.37.4
v1.37.5
v1.37.6
v1.38.0
v1.38.1
v1.39.0
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.40.0
v1.41.0
v1.41.0-beta.1
v1.41.0-beta.2
v1.41.0-beta.3
v1.41.0-beta.4
v1.41.1
v1.41.2
v1.41.3
v1.42.0
v1.43.0
v1.44.0
v1.45.0
v1.46.0
v1.46.1
v1.46.2
v1.46.3
v1.5.0
v1.6.0
v1.7.0
v1.7.1
v1.8.0
v1.9.0
v1.9.1
v2.*
v2.0.0
v2.0.0-beta.10
v2.0.0-beta.11
v2.0.0-beta.12
v2.0.0-beta.2
v2.0.0-beta.3
v2.0.0-beta.4
v2.0.0-beta.5
v2.0.0-beta.6
v2.0.0-beta.7
v2.0.0-beta.8
v2.0.0-beta.9
v2.1.0
v2.1.1
v2.10.0
v2.11.0
v2.12.0
v2.13.0
v2.13.0-beta.0
v2.13.0-beta.1
v2.13.0-beta.2
v2.13.0-beta.3
v2.13.1
v2.13.2
v2.13.3
v2.13.4
v2.13.5
v2.14.0
v2.14.0-beta.0
v2.14.0-beta.1
v2.14.1
v2.14.2
v2.14.3
v2.14.4
v2.15.0
v2.15.0-beta.5
v2.15.0-beta.6
v2.15.1
v2.15.2
v2.15.3
v2.16.0
v2.17.0
v2.17.1
v2.17.2
v2.18.0
v2.19.0
v2.19.0-beta.1
v2.19.0-beta.2
v2.19.0-beta.3
v2.19.0-beta.4
v2.19.0-beta.5
v2.19.1
v2.2.0
v2.20.0
v2.20.0-beta.1
v2.20.1
v2.20.2
v2.3.0
v2.3.1
v2.4.1
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.7.1
v2.7.2
v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.9.0