Tag
The 9router dashboard login rate limiter incorrectly uses the attacker-controlled X-Forwarded-For HTTP header to identify clients, leading to a brute-force protection bypass (CVE-2026-55501) that allows attackers to circumvent the lockout mechanism and conduct unlimited password brute-force attempts to gain administrative access.