CVE-2026-46339 - 9Router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
CVE ID :CVE-2026-46339 Published : July 15, 2026, 9:16 p.m. | 1 hour, 17 minutes ago Description :9Router is an AI router & token saver. From 0.4.30 until 0.4.37, 9Router's src/proxy.js middleware did not protect /api/cli-tools/* and /api/mcp/*, allowing unauthenticated registration of...