Skip to content

CVE lookup

CVE-2026-59800

Pruva has a verified reproduction for CVE-2026-59800: 9router before 0.4.44 allows unauthenticated remote OS command execution via the /api/tunnel/tailscale-install endpoint by injecting shell commands in the sudoPassword field when sudo does not prompt for a password.. The canonical evidence record is REPRO-2026-00270.

REPRO

REPRO-2026-00270

Package

9router (npm) · npm

Severity

CRITICAL

Status

published