CVE-2026-9495 documents an access control bypass vulnerability in @koa/router versions 14.0.0 through 14.x, where middleware is silently dropped from the execution chain when a router prefix contains path parameters. This defect can enable authentication/authorization bypass, rate limit evasion, or input sanitization bypass depending on the skipped middleware's purpose. The vulnerability was disclosed on [truncated]
CVE-2026-27959 is a HIGH severity vulnerability in Koa, a middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. This allows for Host header injection attacks when a malformed Host header c [truncated]