9router
npm4 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting 9routerpage 1 of 1
- CVE-2026-46339CRITICALCVSS 10.0EG 10.0✓ Fixed in 0.4.372026-05-19
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes ## Summary 9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS…
- CVE-2026-55500CRITICALCVSS 9.9EG 9.92026-07-06
9Router is an AI router & token saver. Prior to 0.4.80, the /api/settings/database endpoint allows full database export (containing all credentials, API keys, OAuth tokens, and settings) and full database import (complete overwrite) withou…
- CVE-2026-5842HIGHCVSS 7.3EG 7.3✓ Fixed in 0.3.752026-04-09
A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The atta…
- CVE-2026-59800CRITICALCVSS 9.8EG 9.8✓ Fixed in 0.4.442026-07-07
9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). …
Check whether 9router is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for 9router CVEs against the assets you own.
Start Free Scan →