Skip to main content

Koa Router

1 CVEs product

Monthly

CVE-2026-9495 npm MEDIUM PATCH This Month

{ prefix: '/:category' })`), enabling complete bypass of whatever protection that middleware was intended to enforce - authentication, authorization, rate limiting, or input sanitization. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is remotely exploitable with no authentication or user interaction required, and SSVC classifies it as automatable. Publicly available exploit code exists per SSVC classification; EPSS is low at 0.09% (25th percentile), suggesting limited widespread exploitation at time of analysis.

Authentication Bypass Koa Router
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

{ prefix: '/:category' })`), enabling complete bypass of whatever protection that middleware was intended to enforce - authentication, authorization, rate limiting, or input sanitization. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is remotely exploitable with no authentication or user interaction required, and SSVC classifies it as automatable. Publicly available exploit code exists per SSVC classification; EPSS is low at 0.09% (25th percentile), suggesting limited widespread exploitation at time of analysis.

Authentication Bypass Koa Router
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy