HIGH 7.5 npm
GHSA-7gcj-phff-2884 · CVE-2026-39320 Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths
Modified: 4/21/2026
package
npm / signalk-server
pkg:npm/signalk-server
HIGH 7.5 npm
GHSA-7rqc-ff8m-7j23 · CVE-2025-68272 Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
Modified: 2/3/2026
HIGH 7.2 npm
GHSA-93jc-vqqc-vvvh · CVE-2025-68619 Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
Modified: 2/3/2026
MEDIUM 6.1 npm
GHSA-cxj8-ggf2-p57c · CVE-2026-34083 Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Modified: 4/3/2026
MEDIUM 5.3 npm
GHSA-fpf5-w967-rr2m · CVE-2025-68273 Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints
Modified: 2/3/2026
CRITICAL 9.1 npm
GHSA-fq56-hvg6-wvm5 · CVE-2025-68620 Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling
Modified: 2/3/2026
HIGH 7.5 npm
GHSA-gfmv-vh34-h2x5 · CVE-2026-33951 Signal K Server: Unauthenticated Source Priorities Manipulation
Modified: 4/6/2026
MEDIUM 5.8 npm
GHSA-q59x-jc9f-gfqf · CVE-2026-55591 Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints
Modified: 6/18/2026
LOW npm
GHSA-qh3j-mrg8-f234 · CVE-2026-35038 Signal K Server: Arbitrary Prototype Read via `from` Field Bypass
Modified: 4/3/2026
MEDIUM 6.3 npm
GHSA-vfrf-vcj7-wvr8 · CVE-2025-69203 Signal K Server Vulnerable to Access Request Spoofing
Modified: 2/3/2026
HIGH npm
GHSA-vmfm-ch9h-5c7g · CVE-2026-41893 Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)
Modified: 5/13/2026
MEDIUM 5.0 npm
GHSA-vrhw-v2hw-jffx · CVE-2026-25228 SignalK Server has Path Traversal leading to information disclosure
Modified: 2/3/2026
CRITICAL 9.6 npm
GHSA-w3x5-7c4c-66p9 · CVE-2025-66398 Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
Modified: 2/3/2026
CRITICAL 9.4 npm
GHSA-x8hc-fqv3-7gwf · CVE-2026-33950 Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity
Modified: 4/3/2026