CVE-2026-56679
9Router (AI router & token saver) contains a mass-assignment vulnerability in PATCH /api/settings prior to version 0.5.4. The endpoint writes the entire request body to persistent settings without a field whitelist, enabling an authenticated user to modify security-critical fields such as require...