What is CVE-2026-9495?

CVE-2026-9495 is a high-severity vulnerability in @Koa/router, classified under Improper Access Control. CVSS score: 7.3/10. Published 2026-05-26.

How severe is CVE-2026-9495?

High severity. CVSS v3 base score is 7.3 out of 10.

Vulnerability in @Koa/router

CVE-2026-9495

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on w…

EPSS: 0.001 (27.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L.

Affected products

N/a @Koa/router — versions 14.0.0

Weakness classification (CWE)

CWE-284 — Improper Access Control

References

report@snyk.io
report@snyk.io
report@snyk.io
report@snyk.io

Frequently asked questions

What is CVE-2026-9495?: CVE-2026-9495 is a high-severity vulnerability in @Koa/router, classified under Improper Access Control. CVSS score: 7.3/10. Published 2026-05-26.
How severe is CVE-2026-9495?: High severity. CVSS v3 base score is 7.3 out of 10.