MSS-SK-2026-0018

RCE via datetime command injection (≤1.4.0 only)

Summary

RCE via datetime command injection. versions <= 1.4.0 CVE: CVE-2026-23515 VALIDATION: v1.5.0 anchored regex blocks shell metachars; finding only valid for ≤1.4.0.

Impact

see PoC script header

Evidence — code citations

research/audits/signalk/exploits/0018-set-system-time-rce-via-datetime-command-injection.py

Proof of concept

research/audits/signalk/exploits/0018-set-system-time-rce-via-datetime-command-injection.py/

0018-set-system-time-rce-via-datetime-command-injection.py — single-file