Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3148 articles · 172086 vulns · 36/41 feeds (7d)
← Back to list
9.8
CVE-2026-59800KEVEXPLOITEDPATCHED
npm · 9router

9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint

Description

9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).

Affected Products

VendorProductVersions
npm9router0

References

  • https://github.com/decolua/9router/security/advisories/GHSA-g6g7-pvmx-m74p(vendor-advisory)
  • https://www.vulncheck.com/advisories/9router-os-command-injection-via-sudopassword-parameter-in-tailscale-install-endpoint(third-party-advisory)

Related News (1 articles)

Tier C
VulDB5h ago
CVE-2026-59800 | decolua 9Router up to 0.4.43 Tailscale Install tailscale-install sudoPassword os command injection
→ No new info (linked only)
CVSS 3.19.8 NONE
CISA KEV✅ Yes
Actively exploited✅ Yes
Patch available
9router@0.4.44
CWECWE-78
PublishedJul 2, 2026
Last enriched5h agov2
Tags
GHSA-g6g7-pvmx-m74pnpm
Trending Score100
Source articles1
Independent1
Info Completeness8/14
Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

HIGHCVE-2026-53516
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
HIGHCVE-2026-53514
Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
CRITICALCVE-2026-53512
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
HIGHCVE-2026-53517
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
CRITICALCVE-2026-53513
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 2, 2026
Added to CISA KEV
Jul 2, 2026
Discovered by ZDM
Jul 7, 2026
Updated: affectedVersions, severity
Jul 7, 2026
Actively Exploited
Jul 7, 2026
Patch Available
Jul 7, 2026

Version History

v2
Last enriched 5h ago
v2Tier C5h ago

Updated vendor to decolua, product to 9Router, affected versions to up to 0.4.43, severity to HIGH, and noted that no exploit exists.

affectedVersionsseverity
via VulDB
v16h ago

Initial creation