CVE-2026-35038

EUVD-2026-18396

02.04.2026, 17:16

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Affected Products (NVD)

Vendor	Product	Version
signalk	signal_k_server	𝑥 < 2.24.0

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://github.com/SignalK/signalk-server/releases/tag/v2.24.0

https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f234