{"url":"http://public2.vulnerablecode.io/api/packages/936851?format=json","purl":"pkg:npm/signalk-server@2.20.1","type":"npm","namespace":"","name":"signalk-server","version":"2.20.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.25.0","latest_non_vulnerable_version":"2.25.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/81040?format=json","vulnerability_id":"VCID-69vq-fq3v-1yhf","summary":"Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.25.0, the HTTP login endpoints (POST /login and POST /signalk/v1/auth/login) are protected by express-rate-limit (default: 100 attempts per 10-minute window, configurable via HTTP_RATE_LIMITS). The WebSocket login path — sending {login: {username, password}} messages over an established WebSocket connection — calls app.securityStrategy.login() directly without any rate limiting. An attacker can bypass HTTP rate limiting entirely by opening a WebSocket connection and attempting unlimited password guesses at the speed bcrypt allows (~20 attempts/sec with 10 salt rounds). This issue has been patched in version 2.25.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41893","reference_id":"","reference_type":"","scores":[{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12174","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12252","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12274","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00039","scoring_system":"epss","scoring_elements":"0.12267","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41893"},{"reference_url":"https://github.com/SignalK/signalk-server","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/SignalK/signalk-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41893","reference_id":"","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41893"},{"reference_url":"https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d","reference_id":"215d81eb700d5419c3396a0fbf23f2e246dfac2d","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:50:07Z/"}],"url":"https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d"},{"reference_url":"https://github.com/SignalK/signalk-server/pull/2568","reference_id":"2568","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:50:07Z/"}],"url":"https://github.com/SignalK/signalk-server/pull/2568"},{"reference_url":"https://github.com/advisories/GHSA-vmfm-ch9h-5c7g","reference_id":"GHSA-vmfm-ch9h-5c7g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vmfm-ch9h-5c7g"},{"reference_url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-vmfm-ch9h-5c7g","reference_id":"GHSA-vmfm-ch9h-5c7g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:50:07Z/"}],"url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-vmfm-ch9h-5c7g"},{"reference_url":"https://github.com/SignalK/signalk-server/releases/tag/v2.25.0","reference_id":"v2.25.0","reference_type":"","scores":[{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-14T17:50:07Z/"}],"url":"https://github.com/SignalK/signalk-server/releases/tag/v2.25.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374219?format=json","purl":"pkg:npm/signalk-server@2.25.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.25.0"}],"aliases":["CVE-2026-41893","GHSA-vmfm-ch9h-5c7g"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-69vq-fq3v-1yhf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359168?format=json","vulnerability_id":"VCID-aan1-ykx1-ckhm","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33951","reference_id":"","reference_type":"","scores":[{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28537","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28733","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28758","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.28748","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33951"},{"reference_url":"https://github.com/SignalK/signalk-server","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/SignalK/signalk-server"},{"reference_url":"https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.1"},{"reference_url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-gfmv-vh34-h2x5","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-gfmv-vh34-h2x5"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33951","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33951"},{"reference_url":"https://github.com/advisories/GHSA-gfmv-vh34-h2x5","reference_id":"GHSA-gfmv-vh34-h2x5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gfmv-vh34-h2x5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373805?format=json","purl":"pkg:npm/signalk-server@2.24.0-beta.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.24.0-beta.1"},{"url":"http://public2.vulnerablecode.io/api/packages/995741?format=json","purl":"pkg:npm/signalk-server@2.24.0-beta.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69vq-fq3v-1yhf"},{"vulnerability":"VCID-dbpe-ejtp-4kay"},{"vulnerability":"VCID-jb5w-972p-mkef"},{"vulnerability":"VCID-w1ny-rhsp-s3dh"},{"vulnerability":"VCID-xraa-e8gf-afdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.24.0-beta.3"}],"aliases":["CVE-2026-33951","GHSA-gfmv-vh34-h2x5"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-aan1-ykx1-ckhm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/73104?format=json","vulnerability_id":"VCID-dbpe-ejtp-4kay","summary":"Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated Regular Expression Denial of Service (ReDoS) attack within the WebSocket subscription handling logic. By injecting unescaped regex metacharacters into the `context` parameter of a stream subscription, an attacker can force the server's Node.js event loop into a catastrophic backtracking loop when evaluating long string identifiers (like the server's self UUID). This results in a total Denial of Service (DoS) where the server CPU spikes to 100% and becomes completely unresponsive to further API or socket requests. Version 2.25.0 contains a fix.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39320","reference_id":"","reference_type":"","scores":[{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.2263","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22818","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22826","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22839","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-39320"},{"reference_url":"https://github.com/SignalK/signalk-server","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/SignalK/signalk-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39320","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-39320"},{"reference_url":"https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d","reference_id":"215d81eb700d5419c3396a0fbf23f2e246dfac2d","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:36:30Z/"}],"url":"https://github.com/SignalK/signalk-server/commit/215d81eb700d5419c3396a0fbf23f2e246dfac2d"},{"reference_url":"https://github.com/SignalK/signalk-server/pull/2568","reference_id":"2568","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:36:30Z/"}],"url":"https://github.com/SignalK/signalk-server/pull/2568"},{"reference_url":"https://github.com/advisories/GHSA-7gcj-phff-2884","reference_id":"GHSA-7gcj-phff-2884","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7gcj-phff-2884"},{"reference_url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884","reference_id":"GHSA-7gcj-phff-2884","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:36:30Z/"}],"url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-7gcj-phff-2884"},{"reference_url":"https://github.com/SignalK/signalk-server/releases/tag/v2.25.0","reference_id":"v2.25.0","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-21T19:36:30Z/"}],"url":"https://github.com/SignalK/signalk-server/releases/tag/v2.25.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374219?format=json","purl":"pkg:npm/signalk-server@2.25.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.25.0"}],"aliases":["CVE-2026-39320","GHSA-7gcj-phff-2884"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dbpe-ejtp-4kay"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/75071?format=json","vulnerability_id":"VCID-jb5w-972p-mkef","summary":"Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected. This issue has been patched in version 2.24.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34083","reference_id":"","reference_type":"","scores":[{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07823","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07816","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07792","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00026","scoring_system":"epss","scoring_elements":"0.07829","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-34083"},{"reference_url":"https://github.com/SignalK/signalk-server","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/SignalK/signalk-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34083","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34083"},{"reference_url":"https://github.com/advisories/GHSA-cxj8-ggf2-p57c","reference_id":"GHSA-cxj8-ggf2-p57c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cxj8-ggf2-p57c"},{"reference_url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-cxj8-ggf2-p57c","reference_id":"GHSA-cxj8-ggf2-p57c","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:39:14Z/"}],"url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-cxj8-ggf2-p57c"},{"reference_url":"https://github.com/SignalK/signalk-server/releases/tag/v2.24.0","reference_id":"v2.24.0","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:39:14Z/"}],"url":"https://github.com/SignalK/signalk-server/releases/tag/v2.24.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373953?format=json","purl":"pkg:npm/signalk-server@2.24.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69vq-fq3v-1yhf"},{"vulnerability":"VCID-dbpe-ejtp-4kay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.24.0"}],"aliases":["CVE-2026-34083","GHSA-cxj8-ggf2-p57c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jb5w-972p-mkef"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65679?format=json","vulnerability_id":"VCID-ngtr-u7an-x7ab","summary":"Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25228","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05891","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05877","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05883","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05866","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25228"},{"reference_url":"https://github.com/SignalK/signalk-server","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/SignalK/signalk-server"},{"reference_url":"https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7","reference_id":"9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:09:33Z/"}],"url":"https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25228","reference_id":"CVE-2026-25228","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25228"},{"reference_url":"https://github.com/advisories/GHSA-vrhw-v2hw-jffx","reference_id":"GHSA-vrhw-v2hw-jffx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vrhw-v2hw-jffx"},{"reference_url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx","reference_id":"GHSA-vrhw-v2hw-jffx","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-04T21:09:33Z/"}],"url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38522?format=json","purl":"pkg:npm/signalk-server@2.20.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69vq-fq3v-1yhf"},{"vulnerability":"VCID-aan1-ykx1-ckhm"},{"vulnerability":"VCID-dbpe-ejtp-4kay"},{"vulnerability":"VCID-jb5w-972p-mkef"},{"vulnerability":"VCID-w1ny-rhsp-s3dh"},{"vulnerability":"VCID-xraa-e8gf-afdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.20.3"}],"aliases":["CVE-2026-25228","GHSA-vrhw-v2hw-jffx"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ngtr-u7an-x7ab"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78165?format=json","vulnerability_id":"VCID-w1ny-rhsp-s3dh","summary":"Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33950","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09875","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.0989","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09888","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09841","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33950"},{"reference_url":"https://github.com/SignalK/signalk-server","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/SignalK/signalk-server"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33950","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33950"},{"reference_url":"https://github.com/advisories/GHSA-x8hc-fqv3-7gwf","reference_id":"GHSA-x8hc-fqv3-7gwf","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x8hc-fqv3-7gwf"},{"reference_url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf","reference_id":"GHSA-x8hc-fqv3-7gwf","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-03T18:00:30Z/"}],"url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-x8hc-fqv3-7gwf"},{"reference_url":"https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4","reference_id":"v2.24.0-beta.4","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-03T18:00:30Z/"}],"url":"https://github.com/SignalK/signalk-server/releases/tag/v2.24.0-beta.4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374086?format=json","purl":"pkg:npm/signalk-server@2.24.0-beta.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69vq-fq3v-1yhf"},{"vulnerability":"VCID-dbpe-ejtp-4kay"},{"vulnerability":"VCID-jb5w-972p-mkef"},{"vulnerability":"VCID-xraa-e8gf-afdq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.24.0-beta.4"}],"aliases":["CVE-2026-33950","GHSA-x8hc-fqv3-7gwf"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-w1ny-rhsp-s3dh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359190?format=json","vulnerability_id":"VCID-xraa-e8gf-afdq","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35038","reference_id":"","reference_type":"","scores":[{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.23177","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.23372","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.23385","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00077","scoring_system":"epss","scoring_elements":"0.23362","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-35038"},{"reference_url":"https://github.com/SignalK/signalk-server","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/SignalK/signalk-server"},{"reference_url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35038","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35038"},{"reference_url":"https://github.com/advisories/GHSA-qh3j-mrg8-f234","reference_id":"GHSA-qh3j-mrg8-f234","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qh3j-mrg8-f234"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373953?format=json","purl":"pkg:npm/signalk-server@2.24.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-69vq-fq3v-1yhf"},{"vulnerability":"VCID-dbpe-ejtp-4kay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.24.0"}],"aliases":["CVE-2026-35038","GHSA-qh3j-mrg8-f234"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xraa-e8gf-afdq"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/signalk-server@2.20.1"}