MEDIUM
koajs
CVE published 2026-05-26
CVE-2026-9495
CVE-2026-9495 documents an access control bypass vulnerability in @koa/router versions 14.0.0 through 14.x, where middleware is silently dropped from the execution chain when a router prefix contains path parameters. This defect can enable authentication/authorization bypass, rate limit evasion, or input sanitization bypass depending on the skipped middleware's purpose. The vulnerability was disclosed on [truncated]