Product
Joro's default proxy mode (versions ≤ v1.1.0) is vulnerable to unauthenticated remote code execution (CVE-2026-53649) via a local API on `127.0.0.1:9090` that allows cross-origin JavaScript to upload a malicious native plugin and trigger a system restart, leading to RCE as the operator's user from a single page visit.