PatchSiren

SignalK CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH SignalK CVE published 2026-05-09

CVE-2026-41893

CVE-2026-41893 affects Signal K Server versions before 2.25.0. The HTTP login endpoints are rate-limited, but the WebSocket login path accepts username/password messages without the same protection, allowing repeated guessing at the pace of bcrypt verification. The issue was addressed in version 2.25.0.