CVE-2026-25228

{"id": "CVE-2026-25228", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.0, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2026-02-02T23:16:10.080", "references": [{"url": "https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (\\), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3."}, {"lang": "es", "value": "Signal K Server es una aplicaci\u00f3n de servidor que se ejecuta en un concentrador central en un barco. Antes de la versi\u00f3n 2.20.3, una vulnerabilidad de salto de ruta en la API applicationData de SignalK Server permite a los usuarios autenticados en sistemas Windows leer, escribir y listar archivos y directorios arbitrarios en el sistema de archivos. La funci\u00f3n validateAppId() bloquea las barras diagonales (/) pero no las barras invertidas (\\), que son tratadas como separadores de directorio por path.join() en Windows. Esto permite a los atacantes escapar del directorio applicationData previsto. Esta vulnerabilidad est\u00e1 corregida en la versi\u00f3n 2.20.3."}], "lastModified": "2026-02-20T15:13:59.497", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:signalk:signal_k_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A3B62A9F-E2CD-4CFB-9505-2D5F92A206AF", "versionEndExcluding": "2.20.3"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "security-advisories@github.com"}