A vulnerability was found in decolua 9router up to 0.5.1. It has been rated as very critical. This impacts the function
child_process.spawn of the file /api/mcp of the component child_process. The manipulation leads to os command injection.
This vulnerability is documented as CVE-2026-62312. The attack can be initiated remotely. There is not any exploit available.