Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.
Published: 2026-02-02
Score: 10 Critical
EPSS: 9.5% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from unsafe construction of shell commands when the set-system-time plugin processes navigation.datetime values received via WebSocket delta messages. An attacker who can write to the server or who can bypass the security mechanisms can send specially crafted data that is interpreted as shell commands, allowing execution of arbitrary code on the host running Signal K Server. This is a classic command‑injection flaw (CWE‑78) that grants full remote code execution and could compromise the entire boat’s network, data, and control systems.

Affected Systems

Signal K Server versions earlier than 1.5.0 that have the set-system-time plugin enabled are affected. The issue manifests on any installation of the signalk-server where the plugin is active, typically on the central data hub that aggregates vessel information via WebSocket.

Risk and Exploitability

The CVSS base score is 10, indicating the worst possible severity. The EPSS score of 10% suggests a non‑negligible likelihood that attackers will attempt this exploit. Although it is not yet listed in the CISA KEV catalog, the combination of a high CVSS, a 10% EPSS, and the ability to exploit from both authenticated and unauthenticated contexts through WebSocket messages points to a high risk that is likely exploitable in operational environments where the set-system-time plugin is enabled and security is misconfigured or turned off.

Generated by OpenCVE AI on April 18, 2026 at 00:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Signal K Server to version 1.5.0 or later, which contains the command‑injection fix.
  • Disable the set-system-time plugin if it is not required for vessel operations.
  • Enable and enforce the Signal K Server’s authentication and write‑permission policies so that only trusted users can modify data, and activate the security feature to block unauthenticated access.
  • Monitor WebSocket traffic for unexpected navigation.datetime updates and configure alerts for suspicious messages.

Generated by OpenCVE AI on April 18, 2026 at 00:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p8gp-2w28-mhwg Signal K set-system-time plugin vulnerable to RCE - Command Injection
History

Fri, 27 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*

Wed, 04 Feb 2026 12:30:00 +0000

Type Values Removed Values Added
First Time appeared Signalk
Signalk signal K Server
Signalk signalk-server
Vendors & Products Signalk
Signalk signal K Server
Signalk signalk-server

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.
Title RCE - Command Injection in Signal K set-system-time plugin
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Signalk Signal K Server Signalk-server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-03T15:32:04.099Z

Reserved: 2026-01-13T18:22:43.979Z

Link: CVE-2026-23515

cve-icon Vulnrichment

Updated: 2026-02-03T15:31:50.537Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-02T23:16:07.190

Modified: 2026-02-27T13:46:54.247

Link: CVE-2026-23515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses