Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-tfcu-w2ek-wkf9
Summary
n8n has a Sandbox Escape in its JavaScript Task Runner
An authenticated user with permission to create or modify workflows could exploit a vulnerability in the JavaScript Task Runner sandbox to execute arbitrary code outside the sandbox boundary.

On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner.
- Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`.
Aliases
0
alias CVE-2026-27495
1
alias GHSA-jjpj-p2wh-qf23
Fixed_packages
0
url pkg:npm/n8n@1.123.22
purl pkg:npm/n8n@1.123.22
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22
1
url pkg:npm/n8n@2.9.3
purl pkg:npm/n8n@2.9.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3
2
url pkg:npm/n8n@2.10.1
purl pkg:npm/n8n@2.10.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1
Affected_packages
0
url pkg:npm/n8n@2.0.0
purl pkg:npm/n8n@2.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2srm-ktga-w7hb
1
vulnerability VCID-3bk2-zvud-c7et
2
vulnerability VCID-3qs7-8ewt-j3aa
3
vulnerability VCID-4w75-581c-3ycz
4
vulnerability VCID-6f6h-nx37-fqbx
5
vulnerability VCID-akxw-urjb-qff8
6
vulnerability VCID-axyq-35hd-skhq
7
vulnerability VCID-dd53-wba6-f3c6
8
vulnerability VCID-h82c-378t-aqb3
9
vulnerability VCID-j3t9-jkr4-7fbc
10
vulnerability VCID-ka79-3enj-fkew
11
vulnerability VCID-nafx-g818-nbb6
12
vulnerability VCID-srsg-ge6y-2ybu
13
vulnerability VCID-tfcu-w2ek-wkf9
14
vulnerability VCID-txf4-9gr1-ekcj
15
vulnerability VCID-upx4-rmwg-yqfz
16
vulnerability VCID-wz7x-wqw3-wbg5
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0
1
url pkg:npm/n8n@2.10.0
purl pkg:npm/n8n@2.10.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3bk2-zvud-c7et
1
vulnerability VCID-axyq-35hd-skhq
2
vulnerability VCID-dd53-wba6-f3c6
3
vulnerability VCID-j3t9-jkr4-7fbc
4
vulnerability VCID-ka79-3enj-fkew
5
vulnerability VCID-srsg-ge6y-2ybu
6
vulnerability VCID-tfcu-w2ek-wkf9
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.0
References
0
reference_url https://docs.n8n.io/hosting/configuration/task-runners
reference_id
reference_type
scores
url https://docs.n8n.io/hosting/configuration/task-runners
1
reference_url https://github.com/n8n-io/n8n
reference_id
reference_type
scores
url https://github.com/n8n-io/n8n
2
reference_url https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22
reference_id
reference_type
scores
url https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22
3
reference_url https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1
reference_id
reference_type
scores
url https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1
4
reference_url https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3
reference_id
reference_type
scores
url https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-27495
reference_id CVE-2026-27495
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-27495
6
reference_url https://github.com/advisories/GHSA-jjpj-p2wh-qf23
reference_id GHSA-jjpj-p2wh-qf23
reference_type
scores
url https://github.com/advisories/GHSA-jjpj-p2wh-qf23
7
reference_url https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23
reference_id GHSA-jjpj-p2wh-qf23
reference_type
scores
url https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23
Weaknesses
0
cwe_id 94
name Improper Control of Generation of Code ('Code Injection')
description The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-tfcu-w2ek-wkf9