CVE-2026-35038
MEDIUM WAF: Medium
CVSS 6.5
Published: 2026-04-02
CWE-20
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, there is an arbitrary prototype read vulnerability via `from` field bypass. This vulnerability allows a low-privileged authenticated user to bypass prototype boundary filtering to extract internal functions and properties from the global prototype object this violates data isolation and lets a user read more than they should. This issue has been patched in version 2.24.0.
WAF Coverage Analysis
Improper Input Validation
Medium WAF Coverage
OWASP: A03:2021 Injection
920xxx - Protocol Enforcement 941xxx - XSS / XXE 942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| signalk | signal_k_server | up to 2.24.0 |
References
- github.com (Product, Release Notes)
- github.com (Exploit, Mitigation, Vendor Advisory)