Npm · @Koa/Router · CVE-2026-9495
**Name of the Vulnerable Software and Affected Versions**
@koa/router versions 14.0.0 through 14.x
**Description**
An Access Control Bypass exists when a router prefix contains path parameters, causing middleware to be silently dropped from the execution chain. This allows an attacker to bypass authentication, authorization, rate limiting, or input sanitization, depending on the purpose of the skipped middleware.
**Recommendations**
Update to version 15.0.0.