Vulnerability Description
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Signalk | Signal K Server | < 2.24.0 |
Related Weaknesses (CWE)
References
- https://github.com/SignalK/signalk-server/releases/tag/v2.24.0ProductRelease Notes
- https://github.com/SignalK/signalk-server/security/advisories/GHSA-qh3j-mrg8-f23ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-35038?
CVE-2026-35038 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability al...
How severe is CVE-2026-35038?
CVE-2026-35038 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35038?
Check the references section above for vendor advisories and patch information. Affected products include: Signalk Signal K Server.