CVE-2026-23515

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 1.5.0 Signal K Set-System-Time plugin versions prior to 1.5.0

Description A command injection issue exists in the Signal K Server and its Set-System-Time plugin. Authenticated users with write permissions can execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this if security is disabled on the Signal K server. This is due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. The vulnerability occurs because the datetime value is directly interpolated into a shell command without validation, and the command is then executed using spawn('sh', ['-c', command]), which interprets shell metacharacters. The plugin may execute with elevated privileges if sudo is misconfigured. A proof-of-concept (PoC) demonstrates the ability to create a file (/tmp/signalk-RCE.txt) to prove code execution. Successful exploitation can lead to complete system compromise.

Recommendations Update to Signal K Server version 1.5.0. Update to Signal K Set-System-Time plugin version 1.5.0. Replace shell-based execution with child process.execFile() so user-controlled input is passed as arguments rather than interpreted by a shell. Validate that navigation.datetime conforms to an expected ISO-8601 format to improve robustness.