3 matches found
9router: Missing Authorization and OS Command Injection
POST /api/tunnel/tailscale-install accepts a JSON body with a sudoPassword field and pipes it, followed by the body of https://tailscale.com/install.sh, into a child process spawned as sudo -S sh. The route is not present in the dashboard middleware matcher in src/proxy.js, so the request reaches...
CVE-2026-10269 decolua 9router HTTP Header dashboardGuard.js isAuthenticated improper authorization
A security vulnerability has been detected in decolua 9router up to 0.4.0. This issue affects the function isAuthenticated of the file src/dashboardGuard.js of the component HTTP Header Handler. The manipulation of the argument Host leads to improper authorization. The attack is possible to be...
CVE-2026-10269
Summary (CVE-2026-10269) : A vulnerability in decolua 9router