Search

Find a vulnerability

Search criteria

    24 vulnerabilities found for 9Router by decolua

    CVE-2026-62328 (GCVE-0-2026-62328)

    Vulnerability from nvd – Published: 2026-07-13 21:37 – Updated: 2026-07-13 21:37 X_Open Source
    VLAI
    Title
    9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints
    Summary
    9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    decolua 9Router Affected: 0 , ≤ 0.4.41 (semver)
    Create a notification for this product.
    Date Public
    2026-06-13 00:00
    Credits
    Ngô Tấn Tài (@newnol)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/9router",
              "product": "9Router",
              "repo": "https://github.com/decolua/9router",
              "vendor": "decolua",
              "versions": [
                {
                  "lessThanOrEqual": "0.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ng\u00f4 T\u1ea5n T\u00e0i (@newnol)"
            }
          ],
          "datePublic": "2026-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-359",
                  "description": "Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T21:37:52.094Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-vjc7-jrh9-9j86)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86"
            },
            {
              "name": "VulnCheck Advisory: 9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/9router-unauthenticated-information-disclosure-via-api-usage-endpoints"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-62328",
        "datePublished": "2026-07-13T21:37:52.094Z",
        "dateReserved": "2026-07-13T21:36:08.380Z",
        "dateUpdated": "2026-07-13T21:37:52.094Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62327 (GCVE-0-2026-62327)

    Vulnerability from nvd – Published: 2026-07-13 21:37 – Updated: 2026-07-13 21:37 X_Open Source
    VLAI
    Title
    9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats
    Summary
    9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit the missing authentication middleware on the Next.js API route to obtain full API key strings alongside token counts, cost breakdowns, and request metadata, enabling unauthorized use of connected AI provider accounts, billing fraud, and quota exhaustion.
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    decolua 9Router Affected: 0 , ≤ 0.4.41 (semver)
    Create a notification for this product.
    Date Public
    2026-06-13 00:00
    Credits
    Ngô Tấn Tài (@newnol)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/9router",
              "product": "9Router",
              "repo": "https://github.com/decolua/9router",
              "vendor": "decolua",
              "versions": [
                {
                  "lessThanOrEqual": "0.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ng\u00f4 T\u1ea5n T\u00e0i (@newnol)"
            }
          ],
          "datePublic": "2026-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit the missing authentication middleware on the Next.js API route to obtain full API key strings alongside token counts, cost breakdowns, and request metadata, enabling unauthorized use of connected AI provider accounts, billing fraud, and quota exhaustion."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-522",
                  "description": "Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T21:37:51.416Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-vjc7-jrh9-9j86)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86"
            },
            {
              "name": "VulnCheck Advisory: 9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/9router-unauthenticated-api-key-exposure-via-api-usage-stats"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-62327",
        "datePublished": "2026-07-13T21:37:51.416Z",
        "dateReserved": "2026-07-13T21:36:08.380Z",
        "dateUpdated": "2026-07-13T21:37:51.416Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59801 (GCVE-0-2026-59801)

    Vulnerability from nvd – Published: 2026-07-13 21:30 – Updated: 2026-07-13 21:30 X_Open Source
    VLAI
    Title
    9Router 0.4.41 - Unauthenticated API Exposure via /api/providers
    Summary
    9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under src/app/api/providers/*. Attackers can enumerate, create, modify, or delete provider connections to expose partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled servers, or cause complete denial of service by deleting all provider connections.
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    decolua 9Router Affected: 0 , ≤ 0.4.41 (semver)
    Create a notification for this product.
    Date Public
    2026-06-13 00:00
    Credits
    Ngô Tấn Tài (@newnol)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/9router",
              "product": "9Router",
              "repo": "https://github.com/decolua/9router",
              "vendor": "decolua",
              "versions": [
                {
                  "lessThanOrEqual": "0.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ng\u00f4 T\u1ea5n T\u00e0i (@newnol)"
            }
          ],
          "datePublic": "2026-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under src/app/api/providers/*. Attackers can enumerate, create, modify, or delete provider connections to expose partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled servers, or cause complete denial of service by deleting all provider connections."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T21:30:07.257Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-vjc7-jrh9-9j86)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86"
            },
            {
              "name": "VulnCheck Advisory: 9Router 0.4.41 - Unauthenticated API Exposure via /api/providers",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/9router-unauthenticated-api-exposure-via-api-providers"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "9Router 0.4.41 - Unauthenticated API Exposure via /api/providers",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-59801",
        "datePublished": "2026-07-13T21:30:07.257Z",
        "dateReserved": "2026-07-07T14:39:14.062Z",
        "dateUpdated": "2026-07-13T21:30:07.257Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56675 (GCVE-0-2026-56675)

    Vulnerability from nvd – Published: 2026-07-10 15:39 – Updated: 2026-07-10 16:55
    VLAI
    Title
    9router: Reverse proxy locality collapse allows unauthenticated access to 9router /v1 APIs
    Summary
    9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/* access without an API key, so a same-host reverse proxy that forwards public traffic to the backend through 127.0.0.1 causes src/dashboardGuard.js to misclassify external requests as local. A remote unauthenticated attacker can access /v1 APIs such as /v1/models and may abuse configured upstream provider credentials through /v1 proxy endpoints depending on enabled providers. This issue is fixed in version 0.5.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-290 - Authentication Bypass by Spoofing
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.5.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56675",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T16:54:55.352353Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T16:55:03.329Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/* access without an API key, so a same-host reverse proxy that forwards public traffic to the backend through 127.0.0.1 causes src/dashboardGuard.js to misclassify external requests as local. A remote unauthenticated attacker can access /v1 APIs such as /v1/models and may abuse configured upstream provider credentials through /v1 proxy endpoints depending on enabled providers. This issue is fixed in version 0.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:39:47.530Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-x5c9-v98j-722r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-x5c9-v98j-722r"
            },
            {
              "name": "https://github.com/decolua/9router/commit/da667836cc7584bea0edd893de1d590c9ea279dc",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/da667836cc7584bea0edd893de1d590c9ea279dc"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.5.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.5.2"
            }
          ],
          "source": {
            "advisory": "GHSA-x5c9-v98j-722r",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Reverse proxy locality collapse allows unauthenticated access to 9router /v1 APIs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56675",
        "datePublished": "2026-07-10T15:39:23.282Z",
        "dateReserved": "2026-06-22T16:39:01.044Z",
        "dateUpdated": "2026-07-10T16:55:03.329Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55641 (GCVE-0-2026-55641)

    Vulnerability from nvd – Published: 2026-07-10 15:36 – Updated: 2026-07-10 19:06
    VLAI
    Title
    9router: Unauthenticated `/v1` proxy access via `Host`-header spoofing → open AI relay + SSRF
    Summary
    9Router is an AI router & token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM proxy request is local by reading the client-controlled Host header, allowing a remote unauthenticated attacker to send Host: localhost and bypass API-key authentication. In the default configuration, this exposes the /v1 proxy to upstream provider calls using stored provider credentials and allows /v1/search with the searxng provider_options.baseUrl parameter to drive server-side requests to internal or cloud-metadata hosts. This issue is fixed in version 0.5.2.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    • CWE-348 - Use of Less Trusted Source
    • CWE-918 - Server-Side Request Forgery (SSRF)
    • CWE-1327 - Binding to an Unrestricted IP Address
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.5.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55641",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T19:06:04.625545Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T19:06:14.379Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-86m2-fcxq-5q7c"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM proxy request is local by reading the client-controlled Host header, allowing a remote unauthenticated attacker to send Host: localhost and bypass API-key authentication. In the default configuration, this exposes the /v1 proxy to upstream provider calls using stored provider credentials and allows /v1/search with the searxng provider_options.baseUrl parameter to drive server-side requests to internal or cloud-metadata hosts. This issue is fixed in version 0.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-348",
                  "description": "CWE-348: Use of Less Trusted Source",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1327",
                  "description": "CWE-1327: Binding to an Unrestricted IP Address",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:36:05.964Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-86m2-fcxq-5q7c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-86m2-fcxq-5q7c"
            },
            {
              "name": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.5.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.5.2"
            }
          ],
          "source": {
            "advisory": "GHSA-86m2-fcxq-5q7c",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Unauthenticated `/v1` proxy access via `Host`-header spoofing \u2192 open AI relay + SSRF"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55641",
        "datePublished": "2026-07-10T15:36:05.964Z",
        "dateReserved": "2026-06-16T23:52:12.057Z",
        "dateUpdated": "2026-07-10T19:06:14.379Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55638 (GCVE-0-2026-55638)

    Vulnerability from nvd – Published: 2026-07-10 15:38 – Updated: 2026-07-10 16:46
    VLAI
    Title
    9router: Unauthenticated LLM proxy access via /codex rewrite authorization bypass
    Summary
    9Router is an AI router & token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewrites /codex/* to /api/v1/responses. A remote unauthenticated attacker can send requests to /codex/* to bypass the API-key gate and cause the server to make upstream provider calls using operator-stored LLM provider credentials. This issue is fixed in version 0.5.2.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.5.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55638",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T16:45:56.907696Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T16:46:33.965Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-8gmq-j984-vp4r"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewrites /codex/* to /api/v1/responses. A remote unauthenticated attacker can send requests to /codex/* to bypass the API-key gate and cause the server to make upstream provider calls using operator-stored LLM provider credentials. This issue is fixed in version 0.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:38:21.922Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-8gmq-j984-vp4r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-8gmq-j984-vp4r"
            },
            {
              "name": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.5.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.5.2"
            }
          ],
          "source": {
            "advisory": "GHSA-8gmq-j984-vp4r",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Unauthenticated LLM proxy access via /codex rewrite authorization bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55638",
        "datePublished": "2026-07-10T15:38:21.922Z",
        "dateReserved": "2026-06-16T23:52:12.057Z",
        "dateUpdated": "2026-07-10T16:46:33.965Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56676 (GCVE-0-2026-56676)

    Vulnerability from nvd – Published: 2026-07-10 15:30 – Updated: 2026-07-13 18:11
    VLAI
    Title
    9router: Image prefetch DNS rebinding allows SSRF to internal services
    Summary
    9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the later server-side image fetch with a separate DNS resolution. An authenticated attacker with access to the LLM proxy can use a vision-capable model and an attacker-controlled DNS name that first resolves to a public IP and then rebinds to an internal address, allowing server-side requests to internal-only HTTP services. This issue is fixed in version 0.5.2.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.5.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56676",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T18:11:05.854652Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T18:11:54.297Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-cmhj-wh2f-9cgx"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the later server-side image fetch with a separate DNS resolution. An authenticated attacker with access to the LLM proxy can use a vision-capable model and an attacker-controlled DNS name that first resolves to a public IP and then rebinds to an internal address, allowing server-side requests to internal-only HTTP services. This issue is fixed in version 0.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:30:49.514Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-cmhj-wh2f-9cgx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-cmhj-wh2f-9cgx"
            },
            {
              "name": "https://github.com/decolua/9router/commit/c7d07448c58bec1200741de0b73305b860416b82",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/c7d07448c58bec1200741de0b73305b860416b82"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.5.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.5.2"
            }
          ],
          "source": {
            "advisory": "GHSA-cmhj-wh2f-9cgx",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Image prefetch DNS rebinding allows SSRF to internal services"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56676",
        "datePublished": "2026-07-10T15:30:49.514Z",
        "dateReserved": "2026-06-22T16:39:01.044Z",
        "dateUpdated": "2026-07-13T18:11:54.297Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55501 (GCVE-0-2026-55501)

    Vulnerability from nvd – Published: 2026-07-10 15:23 – Updated: 2026-07-10 16:45
    VLAI
    Title
    9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
    Summary
    9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail. A remote attacker can rotate the X-Forwarded-For value on each login attempt to receive a fresh rate-limit bucket, bypass the 5-attempt threshold and progressive lockout durations, and perform unlimited brute-force attempts against the dashboard password. This issue is fixed in version 0.4.80.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.4.80
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55501",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T16:44:55.006800Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T16:45:23.879Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-7cfm-pqrj-xgq7"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.4.80"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail. A remote attacker can rotate the X-Forwarded-For value on each login attempt to receive a fresh rate-limit bucket, bypass the 5-attempt threshold and progressive lockout durations, and perform unlimited brute-force attempts against the dashboard password. This issue is fixed in version 0.4.80."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:25:50.086Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-7cfm-pqrj-xgq7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-7cfm-pqrj-xgq7"
            },
            {
              "name": "https://github.com/decolua/9router/commit/7648c3412b403a29f04967c4b4e9725e228791d4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/7648c3412b403a29f04967c4b4e9725e228791d4"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.4.80",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.4.80"
            }
          ],
          "source": {
            "advisory": "GHSA-7cfm-pqrj-xgq7",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Login brute-force protection bypass via spoofed X-Forwarded-For header"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55501",
        "datePublished": "2026-07-10T15:23:53.709Z",
        "dateReserved": "2026-06-16T22:28:27.063Z",
        "dateUpdated": "2026-07-10T16:45:23.879Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55500 (GCVE-0-2026-55500)

    Vulnerability from nvd – Published: 2026-07-10 15:28 – Updated: 2026-07-10 15:41
    VLAI
    Title
    9router: Exposure of Sensitive Information and Unprotected Database Import/Export Allows Complete Credential Theft and Database Takeover
    Summary
    9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which only validates JWT or CLI token. This issue is fixed in version 0.4.80.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.4.80
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55500",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T15:39:22.455445Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T15:41:31.178Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-qvfm-67h2-2qfx"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.4.80"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which only validates JWT or CLI token. This issue is fixed in version 0.4.80."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:31:16.352Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-qvfm-67h2-2qfx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-qvfm-67h2-2qfx"
            },
            {
              "name": "https://github.com/decolua/9router/commit/0c7c9de00ae3ab81d6580e3cc368483c4c03f6fd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/0c7c9de00ae3ab81d6580e3cc368483c4c03f6fd"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.4.80",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.4.80"
            }
          ],
          "source": {
            "advisory": "GHSA-qvfm-67h2-2qfx",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Exposure of Sensitive Information and Unprotected Database Import/Export Allows Complete Credential Theft and Database Takeover"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55500",
        "datePublished": "2026-07-10T15:28:27.620Z",
        "dateReserved": "2026-06-16T22:28:27.062Z",
        "dateUpdated": "2026-07-10T15:41:31.178Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59800 (GCVE-0-2026-59800)

    Vulnerability from nvd – Published: 2026-07-07 18:19 – Updated: 2026-07-07 19:08 X_Open Source X_Known Exploited Vulnerability
    VLAI
    Title
    9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint
    Summary
    9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    decolua 9router Affected: 0 , < 0.4.44 (semver)
    Unaffected: 0.4.44 (semver)
    Create a notification for this product.
    Date Public
    2026-05-29 00:00
    Credits
    Vũ Chí Thành (@vcth4nh) Huỳnh Đức Tin (@Ductinn)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59800",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T19:07:58.646180Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T19:08:07.806Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-g6g7-pvmx-m74p"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/9router",
              "product": "9router",
              "repo": "https://github.com/decolua/9router",
              "vendor": "decolua",
              "versions": [
                {
                  "lessThan": "0.4.44",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "0.4.44",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "V\u0169 Ch\u00ed Th\u00e0nh (@vcth4nh)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Hu\u1ef3nh \u0110\u1ee9c Tin (@Ductinn)"
            }
          ],
          "datePublic": "2026-05-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a \u0027sudo -S sh\u0027 child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC)."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T18:25:33.084Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-g6g7-pvmx-m74p)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-g6g7-pvmx-m74p"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/9router-os-command-injection-via-sudopassword-parameter-in-tailscale-install-endpoint"
            }
          ],
          "tags": [
            "x_open-source",
            "x_known-exploited-vulnerability"
          ],
          "title": "9Router \u003c 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-59800",
        "datePublished": "2026-07-07T18:19:17.154Z",
        "dateReserved": "2026-07-07T14:39:14.062Z",
        "dateUpdated": "2026-07-07T19:08:07.806Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10269 (GCVE-0-2026-10269)

    Vulnerability from nvd – Published: 2026-06-01 15:15 – Updated: 2026-06-01 19:26 X_Open Source
    VLAI
    Title
    decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization
    Summary
    A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: 0.1
    Affected: 0.2
    Affected: 0.3
    Affected: 0.4.0
    Unaffected: 0.4.1
        cpe:2.3:h:decolua:9router:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    brad (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10269",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-01T19:26:23.888695Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-01T19:26:34.067Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:h:decolua:9router:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "HTTP Header Handler"
              ],
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.1"
                },
                {
                  "status": "affected",
                  "version": "0.2"
                },
                {
                  "status": "affected",
                  "version": "0.3"
                },
                {
                  "status": "affected",
                  "version": "0.4.0"
                },
                {
                  "status": "unaffected",
                  "version": "0.4.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "brad (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-01T15:15:09.660Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-367548 | decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/367548"
            },
            {
              "name": "VDB-367548 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/367548/cti"
            },
            {
              "name": "CVE-2026-10269 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-10269"
            },
            {
              "name": "Submit #825188 | decolua 9router \u003e= 0.2.72, \u003c 0.4.1 Origin Validation Error",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/825188"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/decolua/9router/issues/742"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/decolua/9router/commit/428e2c045cb9c0eb8080e8b580471a9c2eaa95ca"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.4.1"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/decolua/9router/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-31T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-31T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-31T16:16:18.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-10269",
        "datePublished": "2026-06-01T15:15:09.660Z",
        "dateReserved": "2026-05-31T14:09:33.434Z",
        "dateUpdated": "2026-06-01T19:26:34.067Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5842 (GCVE-0-2026-5842)

    Vulnerability from nvd – Published: 2026-04-09 04:30 – Updated: 2026-04-13 19:59
    VLAI
    Title
    decolua 9router Administrative API Endpoint api authorization
    Summary
    A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: 0.3.0
    Affected: 0.3.1
    Affected: 0.3.2
    Affected: 0.3.3
    Affected: 0.3.4
    Affected: 0.3.5
    Affected: 0.3.6
    Affected: 0.3.7
    Affected: 0.3.8
    Affected: 0.3.9
    Affected: 0.3.10
    Affected: 0.3.11
    Affected: 0.3.12
    Affected: 0.3.13
    Affected: 0.3.14
    Affected: 0.3.15
    Affected: 0.3.16
    Affected: 0.3.17
    Affected: 0.3.18
    Affected: 0.3.19
    Affected: 0.3.20
    Affected: 0.3.21
    Affected: 0.3.22
    Affected: 0.3.23
    Affected: 0.3.24
    Affected: 0.3.25
    Affected: 0.3.26
    Affected: 0.3.27
    Affected: 0.3.28
    Affected: 0.3.29
    Affected: 0.3.30
    Affected: 0.3.31
    Affected: 0.3.32
    Affected: 0.3.33
    Affected: 0.3.34
    Affected: 0.3.35
    Affected: 0.3.36
    Affected: 0.3.37
    Affected: 0.3.38
    Affected: 0.3.39
    Affected: 0.3.40
    Affected: 0.3.41
    Affected: 0.3.42
    Affected: 0.3.43
    Affected: 0.3.44
    Affected: 0.3.45
    Affected: 0.3.46
    Affected: 0.3.47
    Unaffected: 0.3.75
    Create a notification for this product.
    Credits
    cyberthoth (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5842",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T19:59:13.122414Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T19:59:23.935Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Administrative API Endpoint"
              ],
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.3.0"
                },
                {
                  "status": "affected",
                  "version": "0.3.1"
                },
                {
                  "status": "affected",
                  "version": "0.3.2"
                },
                {
                  "status": "affected",
                  "version": "0.3.3"
                },
                {
                  "status": "affected",
                  "version": "0.3.4"
                },
                {
                  "status": "affected",
                  "version": "0.3.5"
                },
                {
                  "status": "affected",
                  "version": "0.3.6"
                },
                {
                  "status": "affected",
                  "version": "0.3.7"
                },
                {
                  "status": "affected",
                  "version": "0.3.8"
                },
                {
                  "status": "affected",
                  "version": "0.3.9"
                },
                {
                  "status": "affected",
                  "version": "0.3.10"
                },
                {
                  "status": "affected",
                  "version": "0.3.11"
                },
                {
                  "status": "affected",
                  "version": "0.3.12"
                },
                {
                  "status": "affected",
                  "version": "0.3.13"
                },
                {
                  "status": "affected",
                  "version": "0.3.14"
                },
                {
                  "status": "affected",
                  "version": "0.3.15"
                },
                {
                  "status": "affected",
                  "version": "0.3.16"
                },
                {
                  "status": "affected",
                  "version": "0.3.17"
                },
                {
                  "status": "affected",
                  "version": "0.3.18"
                },
                {
                  "status": "affected",
                  "version": "0.3.19"
                },
                {
                  "status": "affected",
                  "version": "0.3.20"
                },
                {
                  "status": "affected",
                  "version": "0.3.21"
                },
                {
                  "status": "affected",
                  "version": "0.3.22"
                },
                {
                  "status": "affected",
                  "version": "0.3.23"
                },
                {
                  "status": "affected",
                  "version": "0.3.24"
                },
                {
                  "status": "affected",
                  "version": "0.3.25"
                },
                {
                  "status": "affected",
                  "version": "0.3.26"
                },
                {
                  "status": "affected",
                  "version": "0.3.27"
                },
                {
                  "status": "affected",
                  "version": "0.3.28"
                },
                {
                  "status": "affected",
                  "version": "0.3.29"
                },
                {
                  "status": "affected",
                  "version": "0.3.30"
                },
                {
                  "status": "affected",
                  "version": "0.3.31"
                },
                {
                  "status": "affected",
                  "version": "0.3.32"
                },
                {
                  "status": "affected",
                  "version": "0.3.33"
                },
                {
                  "status": "affected",
                  "version": "0.3.34"
                },
                {
                  "status": "affected",
                  "version": "0.3.35"
                },
                {
                  "status": "affected",
                  "version": "0.3.36"
                },
                {
                  "status": "affected",
                  "version": "0.3.37"
                },
                {
                  "status": "affected",
                  "version": "0.3.38"
                },
                {
                  "status": "affected",
                  "version": "0.3.39"
                },
                {
                  "status": "affected",
                  "version": "0.3.40"
                },
                {
                  "status": "affected",
                  "version": "0.3.41"
                },
                {
                  "status": "affected",
                  "version": "0.3.42"
                },
                {
                  "status": "affected",
                  "version": "0.3.43"
                },
                {
                  "status": "affected",
                  "version": "0.3.44"
                },
                {
                  "status": "affected",
                  "version": "0.3.45"
                },
                {
                  "status": "affected",
                  "version": "0.3.46"
                },
                {
                  "status": "affected",
                  "version": "0.3.47"
                },
                {
                  "status": "unaffected",
                  "version": "0.3.75"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "cyberthoth (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T04:30:17.225Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-356298 | decolua 9router Administrative API Endpoint api authorization",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/356298"
            },
            {
              "name": "VDB-356298 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/356298/cti"
            },
            {
              "name": "Submit #790003 | 9Router Router 0.3.47-0.3.32 Authorization Bypass",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/790003"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/decolua/9router/issues/431"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/decolua/9router/issues/431#issuecomment-4140163867"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/deepcat1337/Free_Api_Exploit/tree/main"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.3.75"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/decolua/9router/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-08T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-04-08T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-04-08T19:48:54.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "decolua 9router Administrative API Endpoint api authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-5842",
        "datePublished": "2026-04-09T04:30:17.225Z",
        "dateReserved": "2026-04-08T17:43:46.180Z",
        "dateUpdated": "2026-04-13T19:59:23.935Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62328 (GCVE-0-2026-62328)

    Vulnerability from cvelistv5 – Published: 2026-07-13 21:37 – Updated: 2026-07-13 21:37 X_Open Source
    VLAI
    Title
    9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints
    Summary
    9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware.
    CWE
    • CWE-862 - Missing Authorization
    • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
    Assigner
    References
    Impacted products
    Vendor Product Version
    decolua 9Router Affected: 0 , ≤ 0.4.41 (semver)
    Create a notification for this product.
    Date Public
    2026-06-13 00:00
    Credits
    Ngô Tấn Tài (@newnol)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/9router",
              "product": "9Router",
              "repo": "https://github.com/decolua/9router",
              "vendor": "decolua",
              "versions": [
                {
                  "lessThanOrEqual": "0.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ng\u00f4 T\u1ea5n T\u00e0i (@newnol)"
            }
          ],
          "datePublic": "2026-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoints. Attackers can enumerate paginated request logs and retrieve complete AI conversation histories including system prompts, user messages, assistant responses, tool calls, and user email addresses by querying the request-logs and request-details API routes which lack authentication middleware."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-359",
                  "description": "Exposure of Private Personal Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T21:37:52.094Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-vjc7-jrh9-9j86)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86"
            },
            {
              "name": "VulnCheck Advisory: 9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/9router-unauthenticated-information-disclosure-via-api-usage-endpoints"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-62328",
        "datePublished": "2026-07-13T21:37:52.094Z",
        "dateReserved": "2026-07-13T21:36:08.380Z",
        "dateUpdated": "2026-07-13T21:37:52.094Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-62327 (GCVE-0-2026-62327)

    Vulnerability from cvelistv5 – Published: 2026-07-13 21:37 – Updated: 2026-07-13 21:37 X_Open Source
    VLAI
    Title
    9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats
    Summary
    9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit the missing authentication middleware on the Next.js API route to obtain full API key strings alongside token counts, cost breakdowns, and request metadata, enabling unauthorized use of connected AI provider accounts, billing fraud, and quota exhaustion.
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-522 - Insufficiently Protected Credentials
    Assigner
    References
    Impacted products
    Vendor Product Version
    decolua 9Router Affected: 0 , ≤ 0.4.41 (semver)
    Create a notification for this product.
    Date Public
    2026-06-13 00:00
    Credits
    Ngô Tấn Tài (@newnol)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/9router",
              "product": "9Router",
              "repo": "https://github.com/decolua/9router",
              "vendor": "decolua",
              "versions": [
                {
                  "lessThanOrEqual": "0.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ng\u00f4 T\u1ea5n T\u00e0i (@newnol)"
            }
          ],
          "datePublic": "2026-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by sending a single unauthenticated request to the /api/usage/stats endpoint. Attackers can exploit the missing authentication middleware on the Next.js API route to obtain full API key strings alongside token counts, cost breakdowns, and request metadata, enabling unauthorized use of connected AI provider accounts, billing fraud, and quota exhaustion."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 9.1,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                },
                {
                  "cweId": "CWE-522",
                  "description": "Insufficiently Protected Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T21:37:51.416Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-vjc7-jrh9-9j86)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86"
            },
            {
              "name": "VulnCheck Advisory: 9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/9router-unauthenticated-api-key-exposure-via-api-usage-stats"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-62327",
        "datePublished": "2026-07-13T21:37:51.416Z",
        "dateReserved": "2026-07-13T21:36:08.380Z",
        "dateUpdated": "2026-07-13T21:37:51.416Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59801 (GCVE-0-2026-59801)

    Vulnerability from cvelistv5 – Published: 2026-07-13 21:30 – Updated: 2026-07-13 21:30 X_Open Source
    VLAI
    Title
    9Router 0.4.41 - Unauthenticated API Exposure via /api/providers
    Summary
    9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under src/app/api/providers/*. Attackers can enumerate, create, modify, or delete provider connections to expose partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled servers, or cause complete denial of service by deleting all provider connections.
    CWE
    • CWE-306 - Missing Authentication for Critical Function
    Assigner
    References
    Impacted products
    Vendor Product Version
    decolua 9Router Affected: 0 , ≤ 0.4.41 (semver)
    Create a notification for this product.
    Date Public
    2026-06-13 00:00
    Credits
    Ngô Tấn Tài (@newnol)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/9router",
              "product": "9Router",
              "repo": "https://github.com/decolua/9router",
              "vendor": "decolua",
              "versions": [
                {
                  "lessThanOrEqual": "0.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Ng\u00f4 T\u1ea5n T\u00e0i (@newnol)"
            }
          ],
          "datePublic": "2026-06-13T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router through version 0.4.41 contains an unauthenticated access vulnerability that allows remote attackers to interact with provider management API endpoints by sending requests without any credentials due to missing authentication middleware in the Next.js API routes under src/app/api/providers/*. Attackers can enumerate, create, modify, or delete provider connections to expose partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled servers, or cause complete denial of service by deleting all provider connections."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.3,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T21:30:07.257Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-vjc7-jrh9-9j86)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-vjc7-jrh9-9j86"
            },
            {
              "name": "VulnCheck Advisory: 9Router 0.4.41 - Unauthenticated API Exposure via /api/providers",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/9router-unauthenticated-api-exposure-via-api-providers"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "title": "9Router 0.4.41 - Unauthenticated API Exposure via /api/providers",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-59801",
        "datePublished": "2026-07-13T21:30:07.257Z",
        "dateReserved": "2026-07-07T14:39:14.062Z",
        "dateUpdated": "2026-07-13T21:30:07.257Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56675 (GCVE-0-2026-56675)

    Vulnerability from cvelistv5 – Published: 2026-07-10 15:39 – Updated: 2026-07-10 16:55
    VLAI
    Title
    9router: Reverse proxy locality collapse allows unauthenticated access to 9router /v1 APIs
    Summary
    9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/* access without an API key, so a same-host reverse proxy that forwards public traffic to the backend through 127.0.0.1 causes src/dashboardGuard.js to misclassify external requests as local. A remote unauthenticated attacker can access /v1 APIs such as /v1/models and may abuse configured upstream provider credentials through /v1 proxy endpoints depending on enabled providers. This issue is fixed in version 0.5.2.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    • CWE-290 - Authentication Bypass by Spoofing
    • CWE-306 - Missing Authentication for Critical Function
    • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.5.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56675",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T16:54:55.352353Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T16:55:03.329Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/* access without an API key, so a same-host reverse proxy that forwards public traffic to the backend through 127.0.0.1 causes src/dashboardGuard.js to misclassify external requests as local. A remote unauthenticated attacker can access /v1 APIs such as /v1/models and may abuse configured upstream provider credentials through /v1 proxy endpoints depending on enabled providers. This issue is fixed in version 0.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-306",
                  "description": "CWE-306: Missing Authentication for Critical Function",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-441",
                  "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:39:47.530Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-x5c9-v98j-722r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-x5c9-v98j-722r"
            },
            {
              "name": "https://github.com/decolua/9router/commit/da667836cc7584bea0edd893de1d590c9ea279dc",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/da667836cc7584bea0edd893de1d590c9ea279dc"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.5.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.5.2"
            }
          ],
          "source": {
            "advisory": "GHSA-x5c9-v98j-722r",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Reverse proxy locality collapse allows unauthenticated access to 9router /v1 APIs"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56675",
        "datePublished": "2026-07-10T15:39:23.282Z",
        "dateReserved": "2026-06-22T16:39:01.044Z",
        "dateUpdated": "2026-07-10T16:55:03.329Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55638 (GCVE-0-2026-55638)

    Vulnerability from cvelistv5 – Published: 2026-07-10 15:38 – Updated: 2026-07-10 16:46
    VLAI
    Title
    9router: Unauthenticated LLM proxy access via /codex rewrite authorization bypass
    Summary
    9Router is an AI router & token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewrites /codex/* to /api/v1/responses. A remote unauthenticated attacker can send requests to /codex/* to bypass the API-key gate and cause the server to make upstream provider calls using operator-stored LLM provider credentials. This issue is fixed in version 0.5.2.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.5.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55638",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T16:45:56.907696Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T16:46:33.965Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-8gmq-j984-vp4r"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewrites /codex/* to /api/v1/responses. A remote unauthenticated attacker can send requests to /codex/* to bypass the API-key gate and cause the server to make upstream provider calls using operator-stored LLM provider credentials. This issue is fixed in version 0.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862: Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "CWE-863: Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:38:21.922Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-8gmq-j984-vp4r",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-8gmq-j984-vp4r"
            },
            {
              "name": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.5.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.5.2"
            }
          ],
          "source": {
            "advisory": "GHSA-8gmq-j984-vp4r",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Unauthenticated LLM proxy access via /codex rewrite authorization bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55638",
        "datePublished": "2026-07-10T15:38:21.922Z",
        "dateReserved": "2026-06-16T23:52:12.057Z",
        "dateUpdated": "2026-07-10T16:46:33.965Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55641 (GCVE-0-2026-55641)

    Vulnerability from cvelistv5 – Published: 2026-07-10 15:36 – Updated: 2026-07-10 19:06
    VLAI
    Title
    9router: Unauthenticated `/v1` proxy access via `Host`-header spoofing → open AI relay + SSRF
    Summary
    9Router is an AI router & token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM proxy request is local by reading the client-controlled Host header, allowing a remote unauthenticated attacker to send Host: localhost and bypass API-key authentication. In the default configuration, this exposes the /v1 proxy to upstream provider calls using stored provider credentials and allows /v1/search with the searxng provider_options.baseUrl parameter to drive server-side requests to internal or cloud-metadata hosts. This issue is fixed in version 0.5.2.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    • CWE-348 - Use of Less Trusted Source
    • CWE-918 - Server-Side Request Forgery (SSRF)
    • CWE-1327 - Binding to an Unrestricted IP Address
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.5.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55641",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T19:06:04.625545Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T19:06:14.379Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-86m2-fcxq-5q7c"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM proxy request is local by reading the client-controlled Host header, allowing a remote unauthenticated attacker to send Host: localhost and bypass API-key authentication. In the default configuration, this exposes the /v1 proxy to upstream provider calls using stored provider credentials and allows /v1/search with the searxng provider_options.baseUrl parameter to drive server-side requests to internal or cloud-metadata hosts. This issue is fixed in version 0.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-348",
                  "description": "CWE-348: Use of Less Trusted Source",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1327",
                  "description": "CWE-1327: Binding to an Unrestricted IP Address",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:36:05.964Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-86m2-fcxq-5q7c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-86m2-fcxq-5q7c"
            },
            {
              "name": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/b282f0554972ea35281520738759d76abcd0b0b3"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.5.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.5.2"
            }
          ],
          "source": {
            "advisory": "GHSA-86m2-fcxq-5q7c",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Unauthenticated `/v1` proxy access via `Host`-header spoofing \u2192 open AI relay + SSRF"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55641",
        "datePublished": "2026-07-10T15:36:05.964Z",
        "dateReserved": "2026-06-16T23:52:12.057Z",
        "dateUpdated": "2026-07-10T19:06:14.379Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-56676 (GCVE-0-2026-56676)

    Vulnerability from cvelistv5 – Published: 2026-07-10 15:30 – Updated: 2026-07-13 18:11
    VLAI
    Title
    9router: Image prefetch DNS rebinding allows SSRF to internal services
    Summary
    9Router is an AI router & token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the later server-side image fetch with a separate DNS resolution. An authenticated attacker with access to the LLM proxy can use a vision-capable model and an attacker-controlled DNS name that first resolves to a public IP and then rebinds to an internal address, allowing server-side requests to internal-only HTTP services. This issue is fixed in version 0.5.2.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
    • CWE-918 - Server-Side Request Forgery (SSRF)
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.5.2
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-56676",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T18:11:05.854652Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T18:11:54.297Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-cmhj-wh2f-9cgx"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.2"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.5.2, 9router validates image URLs by resolving the host before fetching, but open-sse/translator/concerns/image.js performs the later server-side image fetch with a separate DNS resolution. An authenticated attacker with access to the LLM proxy can use a vision-capable model and an attacker-controlled DNS name that first resolves to a public IP and then rebinds to an internal address, allowing server-side requests to internal-only HTTP services. This issue is fixed in version 0.5.2."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-367",
                  "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-918",
                  "description": "CWE-918: Server-Side Request Forgery (SSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:30:49.514Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-cmhj-wh2f-9cgx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-cmhj-wh2f-9cgx"
            },
            {
              "name": "https://github.com/decolua/9router/commit/c7d07448c58bec1200741de0b73305b860416b82",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/c7d07448c58bec1200741de0b73305b860416b82"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.5.2",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.5.2"
            }
          ],
          "source": {
            "advisory": "GHSA-cmhj-wh2f-9cgx",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Image prefetch DNS rebinding allows SSRF to internal services"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-56676",
        "datePublished": "2026-07-10T15:30:49.514Z",
        "dateReserved": "2026-06-22T16:39:01.044Z",
        "dateUpdated": "2026-07-13T18:11:54.297Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55500 (GCVE-0-2026-55500)

    Vulnerability from cvelistv5 – Published: 2026-07-10 15:28 – Updated: 2026-07-10 15:41
    VLAI
    Title
    9router: Exposure of Sensitive Information and Unprotected Database Import/Export Allows Complete Credential Theft and Database Takeover
    Summary
    9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which only validates JWT or CLI token. This issue is fixed in version 0.4.80.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.4.80
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55500",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T15:39:22.455445Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T15:41:31.178Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-qvfm-67h2-2qfx"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.4.80"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) without any authentication requirement beyond the ALWAYS_PROTECTED middleware check, which only validates JWT or CLI token. This issue is fixed in version 0.4.80."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.9,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:31:16.352Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-qvfm-67h2-2qfx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-qvfm-67h2-2qfx"
            },
            {
              "name": "https://github.com/decolua/9router/commit/0c7c9de00ae3ab81d6580e3cc368483c4c03f6fd",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/0c7c9de00ae3ab81d6580e3cc368483c4c03f6fd"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.4.80",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.4.80"
            }
          ],
          "source": {
            "advisory": "GHSA-qvfm-67h2-2qfx",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Exposure of Sensitive Information and Unprotected Database Import/Export Allows Complete Credential Theft and Database Takeover"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55500",
        "datePublished": "2026-07-10T15:28:27.620Z",
        "dateReserved": "2026-06-16T22:28:27.062Z",
        "dateUpdated": "2026-07-10T15:41:31.178Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-55501 (GCVE-0-2026-55501)

    Vulnerability from cvelistv5 – Published: 2026-07-10 15:23 – Updated: 2026-07-10 16:45
    VLAI
    Title
    9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
    Summary
    9Router is an AI router & token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail. A remote attacker can rotate the X-Forwarded-For value on each login attempt to receive a fresh rate-limit bucket, bypass the 5-attempt threshold and progressive lockout durations, and perform unlimited brute-force attempts against the dashboard password. This issue is fixed in version 0.4.80.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-307 - Improper Restriction of Excessive Authentication Attempts
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: < 0.4.80
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-55501",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-10T16:44:55.006800Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-10T16:45:23.879Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-7cfm-pqrj-xgq7"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.4.80"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router is an AI router \u0026 token saver. Prior to 0.4.80, the dashboard login rate limiter in src/lib/auth/loginLimiter.js derives the client identity from the attacker-controlled X-Forwarded-For HTTP header, and src/app/api/auth/login/route.js uses that spoofable value for checkLock and recordFail. A remote attacker can rotate the X-Forwarded-For value on each login attempt to receive a fresh rate-limit bucket, bypass the 5-attempt threshold and progressive lockout durations, and perform unlimited brute-force attempts against the dashboard password. This issue is fixed in version 0.4.80."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-307",
                  "description": "CWE-307: Improper Restriction of Excessive Authentication Attempts",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-10T15:25:50.086Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/decolua/9router/security/advisories/GHSA-7cfm-pqrj-xgq7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-7cfm-pqrj-xgq7"
            },
            {
              "name": "https://github.com/decolua/9router/commit/7648c3412b403a29f04967c4b4e9725e228791d4",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/commit/7648c3412b403a29f04967c4b4e9725e228791d4"
            },
            {
              "name": "https://github.com/decolua/9router/releases/tag/v0.4.80",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.4.80"
            }
          ],
          "source": {
            "advisory": "GHSA-7cfm-pqrj-xgq7",
            "discovery": "UNKNOWN"
          },
          "title": "9router: Login brute-force protection bypass via spoofed X-Forwarded-For header"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-55501",
        "datePublished": "2026-07-10T15:23:53.709Z",
        "dateReserved": "2026-06-16T22:28:27.063Z",
        "dateUpdated": "2026-07-10T16:45:23.879Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-59800 (GCVE-0-2026-59800)

    Vulnerability from cvelistv5 – Published: 2026-07-07 18:19 – Updated: 2026-07-07 19:08 X_Open Source X_Known Exploited Vulnerability
    VLAI
    Title
    9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint
    Summary
    9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    decolua 9router Affected: 0 , < 0.4.44 (semver)
    Unaffected: 0.4.44 (semver)
    Create a notification for this product.
    Date Public
    2026-05-29 00:00
    Credits
    Vũ Chí Thành (@vcth4nh) Huỳnh Đức Tin (@Ductinn)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-59800",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T19:07:58.646180Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T19:08:07.806Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/decolua/9router/security/advisories/GHSA-g6g7-pvmx-m74p"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "packageURL": "pkg:npm/9router",
              "product": "9router",
              "repo": "https://github.com/decolua/9router",
              "vendor": "decolua",
              "versions": [
                {
                  "lessThan": "0.4.44",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                },
                {
                  "status": "unaffected",
                  "version": "0.4.44",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "V\u0169 Ch\u00ed Th\u00e0nh (@vcth4nh)"
            },
            {
              "lang": "en",
              "type": "reporter",
              "value": "Hu\u1ef3nh \u0110\u1ee9c Tin (@Ductinn)"
            }
          ],
          "datePublic": "2026-05-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a \u0027sudo -S sh\u0027 child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC)."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-07T18:25:33.084Z",
            "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
            "shortName": "VulnCheck"
          },
          "references": [
            {
              "name": "GitHub Security Advisory (GHSA-g6g7-pvmx-m74p)",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://github.com/decolua/9router/security/advisories/GHSA-g6g7-pvmx-m74p"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://www.vulncheck.com/advisories/9router-os-command-injection-via-sudopassword-parameter-in-tailscale-install-endpoint"
            }
          ],
          "tags": [
            "x_open-source",
            "x_known-exploited-vulnerability"
          ],
          "title": "9Router \u003c 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint",
          "x_generator": {
            "engine": "vulncheck-endgame"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "assignerShortName": "VulnCheck",
        "cveId": "CVE-2026-59800",
        "datePublished": "2026-07-07T18:19:17.154Z",
        "dateReserved": "2026-07-07T14:39:14.062Z",
        "dateUpdated": "2026-07-07T19:08:07.806Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10269 (GCVE-0-2026-10269)

    Vulnerability from cvelistv5 – Published: 2026-06-01 15:15 – Updated: 2026-06-01 19:26 X_Open Source
    VLAI
    Title
    decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization
    Summary
    A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-285 - Improper Authorization
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: 0.1
    Affected: 0.2
    Affected: 0.3
    Affected: 0.4.0
    Unaffected: 0.4.1
        cpe:2.3:h:decolua:9router:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    brad (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10269",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-01T19:26:23.888695Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-01T19:26:34.067Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:h:decolua:9router:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "HTTP Header Handler"
              ],
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.1"
                },
                {
                  "status": "affected",
                  "version": "0.2"
                },
                {
                  "status": "affected",
                  "version": "0.3"
                },
                {
                  "status": "affected",
                  "version": "0.4.0"
                },
                {
                  "status": "unaffected",
                  "version": "0.4.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "brad (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be carried out remotely. Upgrading to version 0.4.1 is capable of addressing this issue. The identifier of the patch is 428e2c045cb9c0eb8080e8b580471a9c2eaa95ca. Upgrading the affected component is recommended."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-01T15:15:09.660Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-367548 | decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/367548"
            },
            {
              "name": "VDB-367548 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/367548/cti"
            },
            {
              "name": "CVE-2026-10269 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-10269"
            },
            {
              "name": "Submit #825188 | decolua 9router \u003e= 0.2.72, \u003c 0.4.1 Origin Validation Error",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/825188"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/decolua/9router/issues/742"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/decolua/9router/commit/428e2c045cb9c0eb8080e8b580471a9c2eaa95ca"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.4.1"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/decolua/9router/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-31T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-05-31T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-05-31T16:16:18.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-10269",
        "datePublished": "2026-06-01T15:15:09.660Z",
        "dateReserved": "2026-05-31T14:09:33.434Z",
        "dateUpdated": "2026-06-01T19:26:34.067Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5842 (GCVE-0-2026-5842)

    Vulnerability from cvelistv5 – Published: 2026-04-09 04:30 – Updated: 2026-04-13 19:59
    VLAI
    Title
    decolua 9router Administrative API Endpoint api authorization
    Summary
    A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    decolua 9router Affected: 0.3.0
    Affected: 0.3.1
    Affected: 0.3.2
    Affected: 0.3.3
    Affected: 0.3.4
    Affected: 0.3.5
    Affected: 0.3.6
    Affected: 0.3.7
    Affected: 0.3.8
    Affected: 0.3.9
    Affected: 0.3.10
    Affected: 0.3.11
    Affected: 0.3.12
    Affected: 0.3.13
    Affected: 0.3.14
    Affected: 0.3.15
    Affected: 0.3.16
    Affected: 0.3.17
    Affected: 0.3.18
    Affected: 0.3.19
    Affected: 0.3.20
    Affected: 0.3.21
    Affected: 0.3.22
    Affected: 0.3.23
    Affected: 0.3.24
    Affected: 0.3.25
    Affected: 0.3.26
    Affected: 0.3.27
    Affected: 0.3.28
    Affected: 0.3.29
    Affected: 0.3.30
    Affected: 0.3.31
    Affected: 0.3.32
    Affected: 0.3.33
    Affected: 0.3.34
    Affected: 0.3.35
    Affected: 0.3.36
    Affected: 0.3.37
    Affected: 0.3.38
    Affected: 0.3.39
    Affected: 0.3.40
    Affected: 0.3.41
    Affected: 0.3.42
    Affected: 0.3.43
    Affected: 0.3.44
    Affected: 0.3.45
    Affected: 0.3.46
    Affected: 0.3.47
    Unaffected: 0.3.75
    Create a notification for this product.
    Credits
    cyberthoth (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5842",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T19:59:13.122414Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T19:59:23.935Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "modules": [
                "Administrative API Endpoint"
              ],
              "product": "9router",
              "vendor": "decolua",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.3.0"
                },
                {
                  "status": "affected",
                  "version": "0.3.1"
                },
                {
                  "status": "affected",
                  "version": "0.3.2"
                },
                {
                  "status": "affected",
                  "version": "0.3.3"
                },
                {
                  "status": "affected",
                  "version": "0.3.4"
                },
                {
                  "status": "affected",
                  "version": "0.3.5"
                },
                {
                  "status": "affected",
                  "version": "0.3.6"
                },
                {
                  "status": "affected",
                  "version": "0.3.7"
                },
                {
                  "status": "affected",
                  "version": "0.3.8"
                },
                {
                  "status": "affected",
                  "version": "0.3.9"
                },
                {
                  "status": "affected",
                  "version": "0.3.10"
                },
                {
                  "status": "affected",
                  "version": "0.3.11"
                },
                {
                  "status": "affected",
                  "version": "0.3.12"
                },
                {
                  "status": "affected",
                  "version": "0.3.13"
                },
                {
                  "status": "affected",
                  "version": "0.3.14"
                },
                {
                  "status": "affected",
                  "version": "0.3.15"
                },
                {
                  "status": "affected",
                  "version": "0.3.16"
                },
                {
                  "status": "affected",
                  "version": "0.3.17"
                },
                {
                  "status": "affected",
                  "version": "0.3.18"
                },
                {
                  "status": "affected",
                  "version": "0.3.19"
                },
                {
                  "status": "affected",
                  "version": "0.3.20"
                },
                {
                  "status": "affected",
                  "version": "0.3.21"
                },
                {
                  "status": "affected",
                  "version": "0.3.22"
                },
                {
                  "status": "affected",
                  "version": "0.3.23"
                },
                {
                  "status": "affected",
                  "version": "0.3.24"
                },
                {
                  "status": "affected",
                  "version": "0.3.25"
                },
                {
                  "status": "affected",
                  "version": "0.3.26"
                },
                {
                  "status": "affected",
                  "version": "0.3.27"
                },
                {
                  "status": "affected",
                  "version": "0.3.28"
                },
                {
                  "status": "affected",
                  "version": "0.3.29"
                },
                {
                  "status": "affected",
                  "version": "0.3.30"
                },
                {
                  "status": "affected",
                  "version": "0.3.31"
                },
                {
                  "status": "affected",
                  "version": "0.3.32"
                },
                {
                  "status": "affected",
                  "version": "0.3.33"
                },
                {
                  "status": "affected",
                  "version": "0.3.34"
                },
                {
                  "status": "affected",
                  "version": "0.3.35"
                },
                {
                  "status": "affected",
                  "version": "0.3.36"
                },
                {
                  "status": "affected",
                  "version": "0.3.37"
                },
                {
                  "status": "affected",
                  "version": "0.3.38"
                },
                {
                  "status": "affected",
                  "version": "0.3.39"
                },
                {
                  "status": "affected",
                  "version": "0.3.40"
                },
                {
                  "status": "affected",
                  "version": "0.3.41"
                },
                {
                  "status": "affected",
                  "version": "0.3.42"
                },
                {
                  "status": "affected",
                  "version": "0.3.43"
                },
                {
                  "status": "affected",
                  "version": "0.3.44"
                },
                {
                  "status": "affected",
                  "version": "0.3.45"
                },
                {
                  "status": "affected",
                  "version": "0.3.46"
                },
                {
                  "status": "affected",
                  "version": "0.3.47"
                },
                {
                  "status": "unaffected",
                  "version": "0.3.75"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "cyberthoth (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-09T04:30:17.225Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-356298 | decolua 9router Administrative API Endpoint api authorization",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/356298"
            },
            {
              "name": "VDB-356298 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/356298/cti"
            },
            {
              "name": "Submit #790003 | 9Router Router 0.3.47-0.3.32 Authorization Bypass",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/790003"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/decolua/9router/issues/431"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/decolua/9router/issues/431#issuecomment-4140163867"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/deepcat1337/Free_Api_Exploit/tree/main"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/decolua/9router/releases/tag/v0.3.75"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/decolua/9router/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-08T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-04-08T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-04-08T19:48:54.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "decolua 9router Administrative API Endpoint api authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-5842",
        "datePublished": "2026-04-09T04:30:17.225Z",
        "dateReserved": "2026-04-08T17:43:46.180Z",
        "dateUpdated": "2026-04-13T19:59:23.935Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }