pkg:npm/signalk-server

All known vulnerabilities

• CRITICAL9.6CVE-2025-66398Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
  from 0, < 2.19.0
• CRITICAL9.4CVE-2026-33950Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
  from 0, < 2.24.0-beta.4
• CRITICAL9.1CVE-2025-68620Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling
  from 0, < 2.19.0
• HIGH7.5CVE-2026-39320Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths
  from 0, < 2.25.0
• HIGH7.5CVE-2026-33951Signal K Server: Unauthenticated Source Priorities Manipulation
  from 0, < 2.24.0-beta.1
• HIGH7.5CVE-2025-68272Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
  from 0, < 2.19.0
• HIGH7.2CVE-2025-68619Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
  from 0, < 2.9.0
• MEDIUM6.3CVE-2025-69203Signal K Server Vulnerable to Access Request Spoofing
  from 0, < 2.19.0
• MEDIUM6.1CVE-2026-34083Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
  >= 2.20.0, < 2.24.0
• MEDIUM5.3CVE-2025-68273Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints
  from 0, < 2.19.0
• MEDIUM5.0CVE-2026-25228SignalK Server has Path Traversal leading to information disclosure
  from 0, < 2.20.3
• —CVE-2026-41893Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)
  from 0, < 2.25.0
• —CVE-2026-35038Signal K Server: Arbitrary Prototype Read via `from` Field Bypass
  from 0, < 2.24.0