Cyber Resilience

CVE-2026-23515

CriticalPublic PoCRCE

Published: 02 February 2026

Published
02 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0416 89.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23515 is a critical-severity OS Command Injection (CWE-78) vulnerability in Signalk Signal K Server. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-23515 is a command injection vulnerability (CWE-78) affecting Signal K Server versions prior to 1.5.0. Signal K Server is a server application that runs on a central hub in a boat. The issue stems from unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages, specifically when the set-system-time plugin is enabled.

Authenticated users with write permissions can exploit this vulnerability to execute arbitrary shell commands on the Signal K server. Unauthenticated users can also exploit it if security is disabled on the server. The CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects its critical severity, enabling network-accessible attacks with low complexity that can achieve high confidentiality, integrity, and availability impacts through scope expansion.

The vulnerability is addressed in Signal K Server version 1.5.0. Additional details are available in the GitHub security advisory at https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg and the fixing commit at https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when…

more

the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE enables exploitation of a public-facing WebSocket application (T1190) for arbitrary Unix shell command injection (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66398Same product: Signalk Signal K Server
CVE-2025-68619Same product: Signalk Signal K Server
CVE-2026-33951Same product: Signalk Signal K Server
CVE-2026-33950Same product: Signalk Signal K Server
CVE-2025-68620Same product: Signalk Signal K Server
CVE-2025-69203Same product: Signalk Signal K Server
CVE-2026-39320Same product: Signalk Signal K Server
CVE-2025-68272Same product: Signalk Signal K Server
CVE-2018-25115Shared CWE-78
CVE-2025-24382Shared CWE-78

Affected Assets

signalk
signal k server
≤ 1.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Validates navigation.datetime values in WebSocket delta messages to prevent command injection into shell commands.

prevent

Remediates the specific command injection flaw by timely application of vendor patches such as Signal K Server 1.5.0.

prevent

Prohibits or restricts the set-system-time plugin to essential capabilities only, eliminating the vulnerable attack surface.

References