CVE-2026-5842

EUVD-2026-20853

09.04.2026, 05:16

A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 0.3.75 is sufficient to resolve this issue. It is suggested to upgrade the affected component.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.3 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-285 - Improper Authorization
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References

https://github.com/decolua/9router/

https://github.com/decolua/9router/issues/431

https://github.com/decolua/9router/issues/431#issuecomment-4140163867

https://github.com/decolua/9router/releases/tag/v0.3.75

https://github.com/deepcat1337/Free_Api_Exploit/tree/main

https://vuldb.com/submit/790003

https://vuldb.com/vuln/356298

https://vuldb.com/vuln/356298/cti