Product
A critical OS command injection vulnerability (CVE-2026-59800) affects 9Router versions prior to 0.4.44, allowing unauthenticated remote attackers to execute arbitrary OS commands as root via a crafted POST request to the /api/tunnel/tailscale-install endpoint, leading to full system compromise with active exploitation observed.