CVE-2026-23515

CriticalPublic PoC

Published: 02 February 2026

Published

02 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0954 92.9th percentile

Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when…

the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Validates navigation.datetime values in WebSocket delta messages to prevent command injection into shell commands.

SI-2 Flaw Remediation good match

prevent

Remediates the specific command injection flaw by timely application of vendor patches such as Signal K Server 1.5.0.

CM-7 Least Functionality good match

prevent

Prohibits or restricts the set-system-time plugin to essential capabilities only, eliminating the vulnerable attack surface.

Security SummaryAI

CVE-2026-23515 is a command injection vulnerability (CWE-78) affecting Signal K Server versions prior to 1.5.0. Signal K Server is a server application that runs on a central hub in a boat. The issue stems from unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages, specifically when the set-system-time plugin is enabled.

Authenticated users with write permissions can exploit this vulnerability to execute arbitrary shell commands on the Signal K server. Unauthenticated users can also exploit it if security is disabled on the server. The CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects its critical severity, enabling network-accessible attacks with low complexity that can achieve high confidentiality, integrity, and availability impacts through scope expansion.

The vulnerability is addressed in Signal K Server version 1.5.0. Additional details are available in the GitHub security advisory at https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg and the fixing commit at https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24.

Details

CWE(s): CWE-78

Affected Products

signalk

signal k server

≤ 1.5.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

CVE enables exploitation of a public-facing WebSocket application (T1190) for arbitrary Unix shell command injection (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24
Patch · security-advisories@github.com
https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg
Vendor Advisory, Exploit · security-advisories@github.com