{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T07:38:27.720","vulnerabilities":[{"cve":{"id":"CVE-2026-25228","sourceIdentifier":"security-advisories@github.com","published":"2026-02-02T23:16:10.080","lastModified":"2026-02-20T15:13:59.497","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3."},{"lang":"es","value":"Signal K Server es una aplicación de servidor que se ejecuta en un concentrador central en un barco. Antes de la versión 2.20.3, una vulnerabilidad de salto de ruta en la API applicationData de SignalK Server permite a los usuarios autenticados en sistemas Windows leer, escribir y listar archivos y directorios arbitrarios en el sistema de archivos. La función validateAppId() bloquea las barras diagonales (/) pero no las barras invertidas (\\), que son tratadas como separadores de directorio por path.join() en Windows. Esto permite a los atacantes escapar del directorio applicationData previsto. Esta vulnerabilidad está corregida en la versión 2.20.3."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","baseScore":5.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.1,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-22"}]}],"configurations":[{"operator":"AND","nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*","versionEndExcluding":"2.20.3","matchCriteriaId":"A3B62A9F-E2CD-4CFB-9505-2D5F92A206AF"}]},{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":false,"criteria":"cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*","matchCriteriaId":"A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}],"references":[{"url":"https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory","Mitigation"]}]}}]}