tailscale is vulnerable to remote code execution. The library does not have host header verification, which allows an attacker-controlled coordination server to send malicious URL responses to the client, including pushing executables or installing an SMB share.