{"url":"http://public2.vulnerablecode.io/api/packages/796232?format=json","purl":"pkg:npm/n8n@0.195.1","type":"npm","namespace":"","name":"n8n","version":"0.195.1","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.123.43","latest_non_vulnerable_version":"2.22.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70598?format=json","vulnerability_id":"VCID-17dc-5ubt-g3e1","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42237","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.1148","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11446","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11412","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11487","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42237"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42237","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42237"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx","reference_id":"GHSA-f3f2-mcxc-pwjx","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx"},{"reference_url":"https://github.com/advisories/GHSA-hp3c-vfpm-q4f7","reference_id":"GHSA-hp3c-vfpm-q4f7","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hp3c-vfpm-q4f7"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7","reference_id":"GHSA-hp3c-vfpm-q4f7","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:17:33Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42237","GHSA-hp3c-vfpm-q4f7"],"risk_score":3.7,"exploitability":"0.5","weighted_severity":"7.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-17dc-5ubt-g3e1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77657?format=json","vulnerability_id":"VCID-18zg-q45k-d3f3","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration. The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook). The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the LDAP node by adding `n8n-nodes-base.ldap` to the `NODES_EXCLUDE` environment variable, and/or avoid passing unvalidated external user input into LDAP node search parameters via expressions. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33751","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05318","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05309","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05308","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05325","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33751"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33751","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33751"},{"reference_url":"https://github.com/advisories/GHSA-w83q-mcmx-mh42","reference_id":"GHSA-w83q-mcmx-mh42","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w83q-mcmx-mh42"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42","reference_id":"GHSA-w83q-mcmx-mh42","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:10:55Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33751","GHSA-w83q-mcmx-mh42"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-18zg-q45k-d3f3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360053?format=json","vulnerability_id":"VCID-1rt1-y3w9-skc7","summary":"n8n has XSS in its Credential Management Flow\n## Impact\nAn authenticated user with permission to create and share credentials could craft a malicious OAuth2 credential containing a JavaScript URL in the Authorization URL field. If a victim opened the credential and interacted with the OAuth authorization button, the injected script would execute in their browser session.\n\n## Patches\nThe issue has been fixed in n8n versions 2.8.0 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit credential creation and sharing permissions to fully trusted users only.\n- Restrict access to the n8n instance to trusted users only.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr"},{"reference_url":"https://github.com/advisories/GHSA-364x-8g5j-x2pr","reference_id":"GHSA-364x-8g5j-x2pr","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-364x-8g5j-x2pr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374624?format=json","purl":"pkg:npm/n8n@2.6.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.6.4"},{"url":"http://public2.vulnerablecode.io/api/packages/39942?format=json","purl":"pkg:npm/n8n@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.8.0"}],"aliases":["GHSA-364x-8g5j-x2pr"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1rt1-y3w9-skc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360207?format=json","vulnerability_id":"VCID-2kxv-vwc7-3ubf","summary":"n8n: Authenticated XSS and Open Redirect via Form Node\n## Impact\nAn authenticated user with permission to create or modify workflows could configure a Form Node with an unsanitized HTML description field or exploit an overly permissive iframe sandbox policy to perform stored cross-site scripting or redirect end users visiting the form to an arbitrary external URL. The vulnerability could be used to facilitate phishing attacks.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.24, 2.10.4 and 2.12.0. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Form node by adding `n8n-nodes-base.form` to the `NODES_EXCLUDE` environment variable.\n- Disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-w673-8fjw-457c","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-w673-8fjw-457c"},{"reference_url":"https://github.com/advisories/GHSA-w673-8fjw-457c","reference_id":"GHSA-w673-8fjw-457c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w673-8fjw-457c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375283?format=json","purl":"pkg:npm/n8n@1.123.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.24"},{"url":"http://public2.vulnerablecode.io/api/packages/375282?format=json","purl":"pkg:npm/n8n@2.10.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.4"},{"url":"http://public2.vulnerablecode.io/api/packages/375281?format=json","purl":"pkg:npm/n8n@2.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.12.0"}],"aliases":["GHSA-w673-8fjw-457c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2kxv-vwc7-3ubf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70609?format=json","vulnerability_id":"VCID-39dw-4b5k-1bae","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42232","reference_id":"","reference_type":"","scores":[{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45186","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45198","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45037","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42232"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42232","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42232"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r","reference_id":"GHSA-hqr4-h3xv-9m3r","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-04T19:41:11Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42232","GHSA-hqr4-h3xv-9m3r"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-39dw-4b5k-1bae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70147?format=json","vulnerability_id":"VCID-456j-q8xt-57e3","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42233","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.20087","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.20063","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19896","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.20068","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42233"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42233","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42233"},{"reference_url":"https://github.com/advisories/GHSA-r6jc-mpqw-m755","reference_id":"GHSA-r6jc-mpqw-m755","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r6jc-mpqw-m755"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755","reference_id":"GHSA-r6jc-mpqw-m755","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:08:55Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42233","GHSA-r6jc-mpqw-m755"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-456j-q8xt-57e3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70273?format=json","vulnerability_id":"VCID-4crt-c14t-53dq","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42235","reference_id":"","reference_type":"","scores":[{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30004","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.29986","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.29789","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.29987","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42235"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42235","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42235"},{"reference_url":"https://github.com/advisories/GHSA-537j-gqpc-p7fq","reference_id":"GHSA-537j-gqpc-p7fq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-537j-gqpc-p7fq"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq","reference_id":"GHSA-537j-gqpc-p7fq","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T14:39:57Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42235","GHSA-537j-gqpc-p7fq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4crt-c14t-53dq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74152?format=json","vulnerability_id":"VCID-5c7w-mba9-mucn","summary":"n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21877","reference_id":"","reference_type":"","scores":[{"value":"0.05899","scoring_system":"epss","scoring_elements":"0.90846","published_at":"2026-06-14T12:55:00Z"},{"value":"0.05899","scoring_system":"epss","scoring_elements":"0.90808","published_at":"2026-06-11T12:55:00Z"},{"value":"0.05899","scoring_system":"epss","scoring_elements":"0.90838","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21877"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21877","reference_id":"CVE-2026-21877","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21877"},{"reference_url":"https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6","reference_id":"f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-08T18:59:03Z/"}],"url":"https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6"},{"reference_url":"https://github.com/advisories/GHSA-v364-rw7m-3263","reference_id":"GHSA-v364-rw7m-3263","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v364-rw7m-3263"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263","reference_id":"GHSA-v364-rw7m-3263","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-08T18:59:03Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36555?format=json","purl":"pkg:npm/n8n@1.121.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.121.3"}],"aliases":["CVE-2026-21877","GHSA-v364-rw7m-3263"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5c7w-mba9-mucn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77880?format=json","vulnerability_id":"VCID-5fsf-m3s8-pfg2","summary":"n8n is an open source workflow automation platform. Prior to versions 2.6.4 and 1.123.23, an authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the `externalSecret:list` permission check and allowed access to secrets stored in connected vaults without admin or owner privileges. This issue requires the instance to have an external secrets vault configured. The attacker must know or be able to guess the name of a target secret. The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict n8n access to fully trusted users only, and/or disable external secrets integration until the patch can be applied. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33722","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04461","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04457","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04474","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04476","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33722"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33722","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33722"},{"reference_url":"https://github.com/advisories/GHSA-fxcw-h3qj-8m8p","reference_id":"GHSA-fxcw-h3qj-8m8p","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fxcw-h3qj-8m8p"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-fxcw-h3qj-8m8p","reference_id":"GHSA-fxcw-h3qj-8m8p","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-28T01:28:29Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-fxcw-h3qj-8m8p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374623?format=json","purl":"pkg:npm/n8n@1.123.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.23"},{"url":"http://public2.vulnerablecode.io/api/packages/374624?format=json","purl":"pkg:npm/n8n@2.6.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.6.4"}],"aliases":["CVE-2026-33722","GHSA-fxcw-h3qj-8m8p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5fsf-m3s8-pfg2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65724?format=json","vulnerability_id":"VCID-5pjr-smm2-pyav","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in versions 1.123.9 and 2.2.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25054","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03977","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03981","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03993","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25054"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25054","reference_id":"CVE-2026-25054","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25054"},{"reference_url":"https://github.com/advisories/GHSA-qpq4-pw7f-pp8w","reference_id":"GHSA-qpq4-pw7f-pp8w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qpq4-pw7f-pp8w"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w","reference_id":"GHSA-qpq4-pw7f-pp8w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:21Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38752?format=json","purl":"pkg:npm/n8n@1.123.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.9"},{"url":"http://public2.vulnerablecode.io/api/packages/38754?format=json","purl":"pkg:npm/n8n@2.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.2.1"}],"aliases":["CVE-2026-25054","GHSA-qpq4-pw7f-pp8w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5pjr-smm2-pyav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74420?format=json","vulnerability_id":"VCID-63n8-hy1m-3ke5","summary":"n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21893","reference_id":"","reference_type":"","scores":[{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.4881","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48805","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48824","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48668","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21893"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838","reference_id":"ae0669a736cc496beeb296e115267862727ae838","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T19:33:16Z/"}],"url":"https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21893","reference_id":"CVE-2026-21893","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21893"},{"reference_url":"https://github.com/advisories/GHSA-7c4h-vh2m-743m","reference_id":"GHSA-7c4h-vh2m-743m","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7c4h-vh2m-743m"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m","reference_id":"GHSA-7c4h-vh2m-743m","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T19:33:16Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38719?format=json","purl":"pkg:npm/n8n@1.120.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.120.3"}],"aliases":["CVE-2026-21893","GHSA-7c4h-vh2m-743m"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-63n8-hy1m-3ke5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360466?format=json","vulnerability_id":"VCID-63pn-hppa-13bx","summary":"n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints\n## Impact\nThe OAuth1 and OAuth2 credential reconnect endpoints authorized access using `credential:read` rather than `credential:update`. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control. Workflows relying on the affected credential would subsequently execute under the attacker's OAuth identity, enabling data exfiltration to attacker-controlled external services and persistent takeover of shared integrations.\n\nThis issue affects instances where credentials are shared with other users or across projects.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.21.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Restrict credential sharing to fully trusted users only.\n- Audit shared credentials for unexpected OAuth token changes and revoke any tokens that may have been replaced.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.\n\n---\nn8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.\n\nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45732","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13694","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.1372","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13719","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-45732"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-6h4j-wcr9-2vg7","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-6h4j-wcr9-2vg7"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45732","reference_id":"CVE-2026-45732","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-45732"},{"reference_url":"https://github.com/advisories/GHSA-6h4j-wcr9-2vg7","reference_id":"GHSA-6h4j-wcr9-2vg7","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6h4j-wcr9-2vg7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375471?format=json","purl":"pkg:npm/n8n@1.123.43","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.43"},{"url":"http://public2.vulnerablecode.io/api/packages/375473?format=json","purl":"pkg:npm/n8n@2.20.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.20.7"},{"url":"http://public2.vulnerablecode.io/api/packages/376026?format=json","purl":"pkg:npm/n8n@2.21.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.21.1"}],"aliases":["CVE-2026-45732","GHSA-6h4j-wcr9-2vg7"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-63pn-hppa-13bx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77730?format=json","vulnerability_id":"VCID-6pzv-3t6r-akeq","summary":"n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmin nodes. By supplying a crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype`. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33696","reference_id":"","reference_type":"","scores":[{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43703","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43693","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43526","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43682","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33696"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33696","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33696"},{"reference_url":"https://github.com/advisories/GHSA-mxrg-77hm-89hv","reference_id":"GHSA-mxrg-77hm-89hv","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mxrg-77hm-89hv"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv","reference_id":"GHSA-mxrg-77hm-89hv","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T20:08:10Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33696","GHSA-mxrg-77hm-89hv"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6pzv-3t6r-akeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212672?format=json","vulnerability_id":"VCID-6xm5-7kq2-xqdm","summary":"n8n has an Authentication Bypass in its Chat Trigger Node","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a"},{"reference_url":"https://github.com/advisories/GHSA-jh8h-6c9q-7gmw","reference_id":"GHSA-jh8h-6c9q-7gmw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jh8h-6c9q-7gmw"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jh8h-6c9q-7gmw","reference_id":"GHSA-jh8h-6c9q-7gmw","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jh8h-6c9q-7gmw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["GHSA-jh8h-6c9q-7gmw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6xm5-7kq2-xqdm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98223?format=json","vulnerability_id":"VCID-727u-nmx9-xuf3","summary":"n8n is a workflow automation platform. Prior to version 1.99.0, there is a denial of Service vulnerability in /rest/binary-data endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://). This allows authenticated attackers to cause service unavailability through malformed filesystem URI requests, effecting the /rest/binary-data endpoint and n8n.cloud instances (confirmed HTTP/2 524 timeout responses). Attackers can exploit this by sending GET requests with empty filesystem URIs (filesystem:// or filesystem-v2://) to the /rest/binary-data endpoint, causing resource exhaustion and service disruption. This issue has been patched in version 1.99.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49595","reference_id":"","reference_type":"","scores":[{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52985","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.53113","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.53114","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.53129","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49595"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49595","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49595"},{"reference_url":"https://github.com/n8n-io/n8n/pull/16229","reference_id":"16229","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T13:10:37Z/"}],"url":"https://github.com/n8n-io/n8n/pull/16229"},{"reference_url":"https://github.com/n8n-io/n8n/commit/43c52a8b4f844e91b02e3cc9df92826a2d7b6052","reference_id":"43c52a8b4f844e91b02e3cc9df92826a2d7b6052","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T13:10:37Z/"}],"url":"https://github.com/n8n-io/n8n/commit/43c52a8b4f844e91b02e3cc9df92826a2d7b6052"},{"reference_url":"https://github.com/advisories/GHSA-pr9r-gxgp-9rm8","reference_id":"GHSA-pr9r-gxgp-9rm8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pr9r-gxgp-9rm8"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-pr9r-gxgp-9rm8","reference_id":"GHSA-pr9r-gxgp-9rm8","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T13:10:37Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-pr9r-gxgp-9rm8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378487?format=json","purl":"pkg:npm/n8n@1.99.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-et9c-dh4q-3qcy"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-kw94-d9qx-3qf9"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-vht4-48cx-c7gu"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"},{"vulnerability":"VCID-xsuv-1w6k-akeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.99.0"}],"aliases":["CVE-2025-49595","GHSA-pr9r-gxgp-9rm8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-727u-nmx9-xuf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78102?format=json","vulnerability_id":"VCID-78yr-xz2p-rkff","summary":"n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could use the Merge node's \"Combine by SQL\" mode to read local files on the n8n host and achieve remote code execution. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an attacker to access sensitive files on the server or even compromise the instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.26. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33660","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23862","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.2384","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23658","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23854","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33660"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33660","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33660"},{"reference_url":"https://github.com/advisories/GHSA-58qr-rcgv-642v","reference_id":"GHSA-58qr-rcgv-642v","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-58qr-rcgv-642v"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v","reference_id":"GHSA-58qr-rcgv-642v","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-28T01:26:07Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33660","GHSA-58qr-rcgv-642v"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-78yr-xz2p-rkff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360401?format=json","vulnerability_id":"VCID-7fn6-gvxs-wygq","summary":"n8n: HTTP Request Node Pagination Prototype Pollution to RCE\n## Impact\nAn authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node. Combined with other techniques this could lead to RCE on the instance.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the HTTP Request node by adding `n8n-nodes-base.httpRequest` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.\n\n---\nn8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.\n\nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44789","reference_id":"","reference_type":"","scores":[{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15602","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15634","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00048","scoring_system":"epss","scoring_elements":"0.15622","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44789"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-c8xv-5998-g76h"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44789","reference_id":"CVE-2026-44789","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44789"},{"reference_url":"https://github.com/advisories/GHSA-c8xv-5998-g76h","reference_id":"GHSA-c8xv-5998-g76h","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c8xv-5998-g76h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375471?format=json","purl":"pkg:npm/n8n@1.123.43","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.43"},{"url":"http://public2.vulnerablecode.io/api/packages/375473?format=json","purl":"pkg:npm/n8n@2.20.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.20.7"},{"url":"http://public2.vulnerablecode.io/api/packages/375472?format=json","purl":"pkg:npm/n8n@2.22.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.22.1"}],"aliases":["CVE-2026-44789","GHSA-c8xv-5998-g76h"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7fn6-gvxs-wygq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360430?format=json","vulnerability_id":"VCID-8zpu-gnub-2bb8","summary":"n8n Has a Source Control Pull SQL Injection\n## Impact\nAn attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator performed a Source Control Pull, n8n imported the file and could lead to SQL injection on the internal PostgreSQL instance.\n\nExploitation requires all of the following conditions:\n- The n8n instance uses PostgreSQL as its database backend.\n- The Source Control feature is enabled and connected to a repository the attacker can write to.\n- An administrator triggers a Source Control Pull.\n\n## Patches\nThe issue has been fixed in n8n version 1.123.43, 2.20.7, and 2.21.1. Users should upgrade to this version or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Disable the Source Control feature if it is not actively required.\n- Restrict write access to the connected git repository to fully trusted users only.\n- Avoid pulling from repositories that may have been modified by untrusted parties.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44792","reference_id":"","reference_type":"","scores":[{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.124","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.1242","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0004","scoring_system":"epss","scoring_elements":"0.12411","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44792"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mhrx-qhrj-673w","reference_id":"","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mhrx-qhrj-673w"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44792","reference_id":"CVE-2026-44792","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44792"},{"reference_url":"https://github.com/advisories/GHSA-mhrx-qhrj-673w","reference_id":"GHSA-mhrx-qhrj-673w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mhrx-qhrj-673w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375471?format=json","purl":"pkg:npm/n8n@1.123.43","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.43"},{"url":"http://public2.vulnerablecode.io/api/packages/375473?format=json","purl":"pkg:npm/n8n@2.20.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.20.7"},{"url":"http://public2.vulnerablecode.io/api/packages/376026?format=json","purl":"pkg:npm/n8n@2.21.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.21.1"}],"aliases":["CVE-2026-44792","GHSA-mhrx-qhrj-673w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-8zpu-gnub-2bb8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212662?format=json","vulnerability_id":"VCID-95f5-4xkw-yuae","summary":"n8n Vulnerable to Stored XSS via Various Nodes","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27578","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09996","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09942","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.0999","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09982","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27578"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27578","reference_id":"CVE-2026-27578","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27578"},{"reference_url":"https://github.com/advisories/GHSA-2p9h-rqjw-gm92","reference_id":"GHSA-2p9h-rqjw-gm92","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2p9h-rqjw-gm92"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92","reference_id":"GHSA-2p9h-rqjw-gm92","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27578","GHSA-2p9h-rqjw-gm92"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-95f5-4xkw-yuae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66086?format=json","vulnerability_id":"VCID-9bcs-wgnz-m3e8","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of any user on the instance. This issue has been patched in versions 1.123.18 and 2.5.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25052","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06498","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06467","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06486","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06479","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25052"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25052","reference_id":"CVE-2026-25052","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25052"},{"reference_url":"https://github.com/advisories/GHSA-gfvg-qv54-r4pc","reference_id":"GHSA-gfvg-qv54-r4pc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gfvg-qv54-r4pc"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc","reference_id":"GHSA-gfvg-qv54-r4pc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:20Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38741?format=json","purl":"pkg:npm/n8n@1.123.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.18"},{"url":"http://public2.vulnerablecode.io/api/packages/38208?format=json","purl":"pkg:npm/n8n@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0"}],"aliases":["CVE-2026-25052","GHSA-gfvg-qv54-r4pc"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9bcs-wgnz-m3e8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91181?format=json","vulnerability_id":"VCID-c232-fvfd-3fda","summary":"n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project's pre-commit hooks. The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook that executes arbitrary commands on the n8n host during subsequent Git operations. Exploitation requires the ability to create or modify an n8n workflow using the Git node. This issue is fixed in version 1.119.2. Workarounds include excluding the Git Node (Docs) and avoiding cloning or interacting with untrusted repositories using the Git Node.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65964","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10275","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10293","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.10289","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.1024","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65964"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65964","reference_id":"CVE-2025-65964","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65964"},{"reference_url":"https://github.com/n8n-io/n8n/commit/d5a1171f95f75def5c3ac577707ab913e22aef04","reference_id":"d5a1171f95f75def5c3ac577707ab913e22aef04","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/"}],"url":"https://github.com/n8n-io/n8n/commit/d5a1171f95f75def5c3ac577707ab913e22aef04"},{"reference_url":"https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes","reference_id":"#exclude-nodes","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/"}],"url":"https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes"},{"reference_url":"https://github.com/advisories/GHSA-wpqc-h9wp-chmq","reference_id":"GHSA-wpqc-h9wp-chmq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wpqc-h9wp-chmq"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq","reference_id":"GHSA-wpqc-h9wp-chmq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.119.2","reference_id":"n8n%401.119.2","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.119.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35913?format=json","purl":"pkg:npm/n8n@1.119.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.119.2"}],"aliases":["CVE-2025-65964","GHSA-wpqc-h9wp-chmq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c232-fvfd-3fda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65612?format=json","vulnerability_id":"VCID-c4s3-zx71-c7h3","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.10 and 2.5.0, vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host. This issue has been patched in versions 1.123.10 and 2.5.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25053","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09586","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09572","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09582","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09532","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25053"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25053","reference_id":"CVE-2026-25053","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25053"},{"reference_url":"https://github.com/advisories/GHSA-9g95-qf3f-ggrw","reference_id":"GHSA-9g95-qf3f-ggrw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9g95-qf3f-ggrw"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw","reference_id":"GHSA-9g95-qf3f-ggrw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:18Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38744?format=json","purl":"pkg:npm/n8n@1.123.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.10"},{"url":"http://public2.vulnerablecode.io/api/packages/38208?format=json","purl":"pkg:npm/n8n@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0"}],"aliases":["CVE-2026-25053","GHSA-9g95-qf3f-ggrw"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c4s3-zx71-c7h3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77941?format=json","vulnerability_id":"VCID-camv-m2tf-qkac","summary":"n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with the `global:member` role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) belonging to other users on the same instance. The attack abuses a name-based credential resolution path that does not enforce ownership or project scope, combined with a bypass in the credentials permission checker that causes generic HTTP credential types to be skipped during pre-execution validation. Together, these flaws allow a member-role user to resolve another user's credential ID and execute a workflow that decrypts and uses that credential without authorization. Native integration credential types (e.g. `slackApi`, `openAiApi`, `postgres`) are not affected by this issue. This vulnerability affects Community Edition only. Enterprise Edition has additional permission gates on workflow creation and execution that independently block this attack chain. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict instance access to fully trusted users only, and/or audit credentials stored on the instance and rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33663","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06433","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06413","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06425","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06443","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33663"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33663","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33663"},{"reference_url":"https://github.com/advisories/GHSA-m63j-689w-3j35","reference_id":"GHSA-m63j-689w-3j35","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m63j-689w-3j35"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35","reference_id":"GHSA-m63j-689w-3j35","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T17:51:35Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33663","GHSA-m63j-689w-3j35"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"8.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-camv-m2tf-qkac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78399?format=json","vulnerability_id":"VCID-cxss-9g41-gfb7","summary":"n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.\n\nAn authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1470","reference_id":"","reference_type":"","scores":[{"value":"0.02265","scoring_system":"epss","scoring_elements":"0.85046","published_at":"2026-06-12T12:55:00Z"},{"value":"0.02265","scoring_system":"epss","scoring_elements":"0.85047","published_at":"2026-06-14T12:55:00Z"},{"value":"0.02265","scoring_system":"epss","scoring_elements":"0.85055","published_at":"2026-06-13T12:55:00Z"},{"value":"0.02265","scoring_system":"epss","scoring_elements":"0.84993","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1470"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/25c4b9605b420a98d0185a4f01115122a5134d8f","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/25c4b9605b420a98d0185a4f01115122a5134d8f"},{"reference_url":"https://github.com/n8n-io/n8n/commit/30383d86139f3279a698df8d229eadfefe8627f4","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/30383d86139f3279a698df8d229eadfefe8627f4"},{"reference_url":"https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce"},{"reference_url":"https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04","reference_id":"aa4d1e5825829182afa0ad5b81f602638f55fa04","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-27T14:35:25Z/"}],"url":"https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1470","reference_id":"CVE-2026-1470","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1470"},{"reference_url":"https://github.com/advisories/GHSA-5xrp-6693-jjx9","reference_id":"GHSA-5xrp-6693-jjx9","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5xrp-6693-jjx9"},{"reference_url":"https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/","reference_id":"n8n-expression-node-rce","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-27T14:35:25Z/"}],"url":"https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38205?format=json","purl":"pkg:npm/n8n@1.123.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.17"},{"url":"http://public2.vulnerablecode.io/api/packages/38207?format=json","purl":"pkg:npm/n8n@2.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.5"},{"url":"http://public2.vulnerablecode.io/api/packages/38209?format=json","purl":"pkg:npm/n8n@2.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.1"}],"aliases":["CVE-2026-1470","GHSA-5xrp-6693-jjx9"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cxss-9g41-gfb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66132?format=json","vulnerability_id":"VCID-cy8m-aw8f-zkfx","summary":"n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25051","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03993","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03982","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03994","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03978","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25051"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/ced34c0f93ab4c759a56065965986094d8ef7323","reference_id":"ced34c0f93ab4c759a56065965986094d8ef7323","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:22Z/"}],"url":"https://github.com/n8n-io/n8n/commit/ced34c0f93ab4c759a56065965986094d8ef7323"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25051","reference_id":"CVE-2026-25051","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25051"},{"reference_url":"https://github.com/n8n-io/n8n/commit/e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9","reference_id":"e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:22Z/"}],"url":"https://github.com/n8n-io/n8n/commit/e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9"},{"reference_url":"https://github.com/advisories/GHSA-825q-w924-xhgx","reference_id":"GHSA-825q-w924-xhgx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-825q-w924-xhgx"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx","reference_id":"GHSA-825q-w924-xhgx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:22Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38738?format=json","purl":"pkg:npm/n8n@1.122.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.122.5"},{"url":"http://public2.vulnerablecode.io/api/packages/38734?format=json","purl":"pkg:npm/n8n@1.123.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.2"}],"aliases":["CVE-2026-25051","GHSA-825q-w924-xhgx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cy8m-aw8f-zkfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212674?format=json","vulnerability_id":"VCID-cyxm-4jde-myc1","summary":"n8n has a Guardrail Node Bypass","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/8d0251d1deef256fd3d9176f05dedab62afde918","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/8d0251d1deef256fd3d9176f05dedab62afde918"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.0","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.0"},{"reference_url":"https://github.com/advisories/GHSA-fvfv-ppw4-7h2w","reference_id":"GHSA-fvfv-ppw4-7h2w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fvfv-ppw4-7h2w"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-fvfv-ppw4-7h2w","reference_id":"GHSA-fvfv-ppw4-7h2w","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-fvfv-ppw4-7h2w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39883?format=json","purl":"pkg:npm/n8n@2.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.0"}],"aliases":["GHSA-fvfv-ppw4-7h2w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cyxm-4jde-myc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212675?format=json","vulnerability_id":"VCID-d1rq-nmws-w3fy","summary":"n8n has Webhook Forgery on Zendesk Trigger Node","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/3839e310bd4c3002c646c363d1411916fa195151","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/3839e310bd4c3002c646c363d1411916fa195151"},{"reference_url":"https://github.com/n8n-io/n8n/commit/c6520e4e87614fa60c9433e93019e211f19f65f9","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/c6520e4e87614fa60c9433e93019e211f19f65f9"},{"reference_url":"https://github.com/advisories/GHSA-38c7-23hj-2wgq","reference_id":"GHSA-38c7-23hj-2wgq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-38c7-23hj-2wgq"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-38c7-23hj-2wgq","reference_id":"GHSA-38c7-23hj-2wgq","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-38c7-23hj-2wgq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38741?format=json","purl":"pkg:npm/n8n@1.123.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.18"},{"url":"http://public2.vulnerablecode.io/api/packages/39943?format=json","purl":"pkg:npm/n8n@2.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.6.2"}],"aliases":["GHSA-38c7-23hj-2wgq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d1rq-nmws-w3fy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77749?format=json","vulnerability_id":"VCID-d5bn-f87r-vka1","summary":"n8n is an open source workflow automation platform. Prior to version 2.8.0, when the `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` environment variable is set to `true`, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim's OAuth tokens to be stored in the attacker's credential. The attacker can then use those tokens to execute workflows in their name. This issue only affects instances where `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` is explicitly configured (non-default). The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Avoid enabling `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` unless strictly required, and/ or restrict access to the n8n instance to fully trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33720","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0286","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.0287","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02867","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02876","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33720"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33720","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33720"},{"reference_url":"https://github.com/advisories/GHSA-vpgc-2f6g-7w7x","reference_id":"GHSA-vpgc-2f6g-7w7x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vpgc-2f6g-7w7x"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x","reference_id":"GHSA-vpgc-2f6g-7w7x","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:07:38Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39942?format=json","purl":"pkg:npm/n8n@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.8.0"}],"aliases":["CVE-2026-33720","GHSA-vpgc-2f6g-7w7x"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d5bn-f87r-vka1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66101?format=json","vulnerability_id":"VCID-d5s2-xbfd-ukg7","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25049","reference_id":"","reference_type":"","scores":[{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17038","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17064","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.17052","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.16895","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25049"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d","reference_id":"7860896909b3d42993a36297f053d2b0e633235d","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:21Z/"}],"url":"https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d"},{"reference_url":"https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b","reference_id":"936c06cfc1ad269a89e8ef7f8ac79c104436d54b","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:21Z/"}],"url":"https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25049","reference_id":"CVE-2026-25049","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25049"},{"reference_url":"https://github.com/advisories/GHSA-6cqr-8cfr-67f8","reference_id":"GHSA-6cqr-8cfr-67f8","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6cqr-8cfr-67f8"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8","reference_id":"GHSA-6cqr-8cfr-67f8","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:21Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38205?format=json","purl":"pkg:npm/n8n@1.123.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.17"},{"url":"http://public2.vulnerablecode.io/api/packages/38728?format=json","purl":"pkg:npm/n8n@2.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.2"}],"aliases":["CVE-2026-25049","GHSA-6cqr-8cfr-67f8"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d5s2-xbfd-ukg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78047?format=json","vulnerability_id":"VCID-d763-b5fk-g3dm","summary":"n8n is an open source workflow automation platform. Prior to version 2.5.0, when the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server could intercept the connection and present a fraudulent host key, potentially injecting malicious content into workflows or intercepting repository data. This issue only affects instances where the Source Control feature has been explicitly enabled and configured to use SSH (non-default). The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable the Source Control feature if it is not actively required, and/or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33724","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04358","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04356","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04367","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04371","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33724"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33724","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33724"},{"reference_url":"https://github.com/advisories/GHSA-43v7-fp2v-68f6","reference_id":"GHSA-43v7-fp2v-68f6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-43v7-fp2v-68f6"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-43v7-fp2v-68f6","reference_id":"GHSA-43v7-fp2v-68f6","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:05:11Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-43v7-fp2v-68f6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38208?format=json","purl":"pkg:npm/n8n@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0"}],"aliases":["CVE-2026-33724","GHSA-43v7-fp2v-68f6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d763-b5fk-g3dm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66155?format=json","vulnerability_id":"VCID-d7g4-89n1-y7e7","summary":"n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the \"Allowed domains\" setting. This issue is fixed in version 1.121.0 and later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25631","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07542","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07526","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07508","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07535","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25631"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25631","reference_id":"CVE-2026-25631","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25631"},{"reference_url":"https://github.com/advisories/GHSA-2xcx-75h9-vr9h","reference_id":"GHSA-2xcx-75h9-vr9h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2xcx-75h9-vr9h"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h","reference_id":"GHSA-2xcx-75h9-vr9h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T21:06:21Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36331?format=json","purl":"pkg:npm/n8n@1.121.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.121.0"}],"aliases":["CVE-2026-25631","GHSA-2xcx-75h9-vr9h"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d7g4-89n1-y7e7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80280?format=json","vulnerability_id":"VCID-dm6y-ymh9-u3cm","summary":"n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27577","reference_id":"","reference_type":"","scores":[{"value":"0.00175","scoring_system":"epss","scoring_elements":"0.38836","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00175","scoring_system":"epss","scoring_elements":"0.39022","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00175","scoring_system":"epss","scoring_elements":"0.39031","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00175","scoring_system":"epss","scoring_elements":"0.39008","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27577"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6","reference_id":"1479aab2d32fe0ee087f82b9038b1035c98be2f6","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/"}],"url":"https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6"},{"reference_url":"https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e","reference_id":"9e5212ecbc5d2d4e6f340b636a5e84be6369882e","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/"}],"url":"https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27577","reference_id":"CVE-2026-27577","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27577"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp","reference_id":"GHSA-v98v-ff95-f3cp","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp"},{"reference_url":"https://github.com/advisories/GHSA-vpcf-gvg4-6qwr","reference_id":"GHSA-vpcf-gvg4-6qwr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vpcf-gvg4-6qwr"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr","reference_id":"GHSA-vpcf-gvg4-6qwr","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr"},{"reference_url":"https://docs.n8n.io/hosting/securing/overview","reference_id":"overview","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/"}],"url":"https://docs.n8n.io/hosting/securing/overview"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27577","GHSA-vpcf-gvg4-6qwr"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dm6y-ymh9-u3cm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121282?format=json","vulnerability_id":"VCID-et9c-dh4q-3qcy","summary":"n8n is a workflow automation platform. Before 1.106.0, a symlink traversal vulnerability was discovered in the Read/Write File node in n8n. While the node attempts to restrict access to sensitive directories and files, it does not properly account for symbolic links (symlinks). An attacker with the ability to create symlinks—such as by using the Execute Command node—could exploit this to bypass the intended directory restrictions and read from or write to otherwise inaccessible paths. Users of n8n.cloud are not impacted. Affected users should update to version 1.106.0 or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57749","reference_id":"","reference_type":"","scores":[{"value":"0.00177","scoring_system":"epss","scoring_elements":"0.39293","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00177","scoring_system":"epss","scoring_elements":"0.39286","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00177","scoring_system":"epss","scoring_elements":"0.39268","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00177","scoring_system":"epss","scoring_elements":"0.39097","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57749"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/c2c3e08cdf33570d9051e659812cbfbdd3c077fd","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/c2c3e08cdf33570d9051e659812cbfbdd3c077fd"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57749","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57749"},{"reference_url":"https://github.com/n8n-io/n8n/pull/17735","reference_id":"17735","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-21T14:43:03Z/"}],"url":"https://github.com/n8n-io/n8n/pull/17735"},{"reference_url":"https://github.com/advisories/GHSA-ggjm-f3g4-rwmm","reference_id":"GHSA-ggjm-f3g4-rwmm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ggjm-f3g4-rwmm"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-ggjm-f3g4-rwmm","reference_id":"GHSA-ggjm-f3g4-rwmm","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-21T14:43:03Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-ggjm-f3g4-rwmm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377724?format=json","purl":"pkg:npm/n8n@1.106.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-kw94-d9qx-3qf9"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"},{"vulnerability":"VCID-xsuv-1w6k-akeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.106.0"}],"aliases":["CVE-2025-57749","GHSA-ggjm-f3g4-rwmm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-et9c-dh4q-3qcy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78072?format=json","vulnerability_id":"VCID-f8r2-7ab1-w3d8","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The `/rest/binary-data` endpoint served such responses inline on the n8n origin without `Content-Disposition` or `Content-Security-Policy` headers, allowing the HTML to render in the browser with full same-origin JavaScript access. By sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim's authenticated session, enabling exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or restrict network access to the n8n instance to prevent untrusted users from accessing binary data URLs. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33749","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16067","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16034","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15914","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.16056","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33749"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33749","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33749"},{"reference_url":"https://github.com/advisories/GHSA-qfc3-hm4j-7q77","reference_id":"GHSA-qfc3-hm4j-7q77","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qfc3-hm4j-7q77"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-qfc3-hm4j-7q77","reference_id":"GHSA-qfc3-hm4j-7q77","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:07:00Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-qfc3-hm4j-7q77"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33749","GHSA-qfc3-hm4j-7q77"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f8r2-7ab1-w3d8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80256?format=json","vulnerability_id":"VCID-fuvy-21q8-fyhh","summary":"n8n is an open source workflow automation platform. Prior to versions 2.2.0 and 1.123.8, an authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk node with git operations to achieve remote code execution. By writing to specific configuration files and then triggering a git operation, the attacker could execute arbitrary shell commands on the n8n host. The issue has been fixed in n8n versions 2.2.0 and 1.123.8. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Read/Write Files from Disk node by adding `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27498","reference_id":"","reference_type":"","scores":[{"value":"0.00594","scoring_system":"epss","scoring_elements":"0.6985","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00594","scoring_system":"epss","scoring_elements":"0.69862","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00594","scoring_system":"epss","scoring_elements":"0.69759","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00594","scoring_system":"epss","scoring_elements":"0.69864","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27498"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/97365caf253978ba8e46d7bc53fa7ac3b6f67b32","reference_id":"97365caf253978ba8e46d7bc53fa7ac3b6f67b32","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/"}],"url":"https://github.com/n8n-io/n8n/commit/97365caf253978ba8e46d7bc53fa7ac3b6f67b32"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27498","reference_id":"CVE-2026-27498","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27498"},{"reference_url":"https://github.com/n8n-io/n8n/commit/e22acaab3dcb2004e5fe0bf9ef2db975bde61866","reference_id":"e22acaab3dcb2004e5fe0bf9ef2db975bde61866","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/"}],"url":"https://github.com/n8n-io/n8n/commit/e22acaab3dcb2004e5fe0bf9ef2db975bde61866"},{"reference_url":"https://github.com/advisories/GHSA-x2mw-7j39-93xq","reference_id":"GHSA-x2mw-7j39-93xq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x2mw-7j39-93xq"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-x2mw-7j39-93xq","reference_id":"GHSA-x2mw-7j39-93xq","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-x2mw-7j39-93xq"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.8","reference_id":"n8n@1.123.8","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.8"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.2.0","reference_id":"n8n@2.2.0","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.2.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39887?format=json","purl":"pkg:npm/n8n@1.123.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.8"},{"url":"http://public2.vulnerablecode.io/api/packages/37601?format=json","purl":"pkg:npm/n8n@2.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.2.0"}],"aliases":["CVE-2026-27498","GHSA-x2mw-7j39-93xq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fuvy-21q8-fyhh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80123?format=json","vulnerability_id":"VCID-g3sy-n7qb-kqat","summary":"n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, a second-order expression injection vulnerability existed in n8n's Form nodes that could allow an unauthenticated attacker to inject and evaluate arbitrary n8n expressions by submitting crafted form data. When chained with an expression sandbox escape, this could escalate to remote code execution on the n8n host. The vulnerability requires a specific workflow configuration to be exploitable. First, a form node with a field interpolating a value provided by an unauthenticated user, e.g. a form submitted value. Second, the field value must begin with an `=` character, which caused n8n to treat it as an expression and triggered a double-evaluation of the field content. There is no practical reason for a workflow designer to prefix a field with `=` intentionally — the character is not rendered in the output, so the result would not match the designer's expectations. If added accidentally, it would be noticeable and very unlikely to persist. An unauthenticated attacker would need to either know about this specific circumstance on a target instance or discover a matching form by chance. Even when the preconditions are met, the expression injection alone is limited to data accessible within the n8n expression context. Escalation to remote code execution requires chaining with a separate sandbox escape vulnerability. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Review usage of form nodes manually for above mentioned preconditions, disable the Form node by adding `n8n-nodes-base.form` to the `NODES_EXCLUDE` environment variable, and/or disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27493","reference_id":"","reference_type":"","scores":[{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.50558","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.50545","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.50406","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.5054","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27493"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/issues/19","reference_id":"19","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/issues/19"},{"reference_url":"https://github.com/n8n-io/n8n/commit/562d867483e871b0f1e31776252e23bd721df75b","reference_id":"562d867483e871b0f1e31776252e23bd721df75b","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/commit/562d867483e871b0f1e31776252e23bd721df75b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27493","reference_id":"CVE-2026-27493","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27493"},{"reference_url":"https://github.com/advisories/GHSA-75g8-rv7v-32f7","reference_id":"GHSA-75g8-rv7v-32f7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-75g8-rv7v-32f7"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-75g8-rv7v-32f7","reference_id":"GHSA-75g8-rv7v-32f7","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-75g8-rv7v-32f7"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22","reference_id":"n8n@1.123.22","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1","reference_id":"n8n@2.10.1","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3","reference_id":"n8n@2.9.3","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27493","GHSA-75g8-rv7v-32f7"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g3sy-n7qb-kqat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360302?format=json","vulnerability_id":"VCID-hx1p-thnm-4ud4","summary":"n8n Has an Arbitrary File Read via Git Node\n## Impact\nAn authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Git node by adding `n8n-nodes-base.git` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.\n\n---\nn8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.\n\nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44790","reference_id":"","reference_type":"","scores":[{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13518","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13545","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00043","scoring_system":"epss","scoring_elements":"0.13542","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44790"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-57g9-58c2-xjg3","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-57g9-58c2-xjg3"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44790","reference_id":"CVE-2026-44790","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44790"},{"reference_url":"https://github.com/advisories/GHSA-57g9-58c2-xjg3","reference_id":"GHSA-57g9-58c2-xjg3","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-57g9-58c2-xjg3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375471?format=json","purl":"pkg:npm/n8n@1.123.43","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.43"},{"url":"http://public2.vulnerablecode.io/api/packages/375473?format=json","purl":"pkg:npm/n8n@2.20.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.20.7"},{"url":"http://public2.vulnerablecode.io/api/packages/375472?format=json","purl":"pkg:npm/n8n@2.22.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.22.1"}],"aliases":["CVE-2026-44790","GHSA-57g9-58c2-xjg3"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hx1p-thnm-4ud4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70447?format=json","vulnerability_id":"VCID-krxn-r6bc-cffu","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data without adequate resource controls. An unauthenticated remote attacker could exhaust server memory resources by sending large registration payloads, rendering the n8n instance unavailable. The MCP enable/disable toggle gates MCP access but did not restrict client registrations, meaning the endpoint is reachable regardless of whether MCP access is enabled on the instance. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42236","reference_id":"","reference_type":"","scores":[{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37494","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37306","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37507","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37483","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42236"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42236","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42236"},{"reference_url":"https://github.com/advisories/GHSA-49m9-pgww-9vq6","reference_id":"GHSA-49m9-pgww-9vq6","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-49m9-pgww-9vq6"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-49m9-pgww-9vq6","reference_id":"GHSA-49m9-pgww-9vq6","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:59:10Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-49m9-pgww-9vq6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42236","GHSA-49m9-pgww-9vq6"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-krxn-r6bc-cffu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65748?format=json","vulnerability_id":"VCID-ktyh-c1au-6yc7","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25055","reference_id":"","reference_type":"","scores":[{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39558","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39546","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39533","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39362","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25055"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/528ad6b982d0519ec170e172f57b7fdbbe175230","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/528ad6b982d0519ec170e172f57b7fdbbe175230"},{"reference_url":"https://github.com/n8n-io/n8n/commit/e0baf48c6a54808f6dbca8cb352bfa306092c223","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/e0baf48c6a54808f6dbca8cb352bfa306092c223"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25055","reference_id":"CVE-2026-25055","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25055"},{"reference_url":"https://github.com/advisories/GHSA-m82q-59gv-mcr9","reference_id":"GHSA-m82q-59gv-mcr9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m82q-59gv-mcr9"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9","reference_id":"GHSA-m82q-59gv-mcr9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:20Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38757?format=json","purl":"pkg:npm/n8n@1.123.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.12"},{"url":"http://public2.vulnerablecode.io/api/packages/38755?format=json","purl":"pkg:npm/n8n@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0"}],"aliases":["CVE-2026-25055","GHSA-m82q-59gv-mcr9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ktyh-c1au-6yc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/102286?format=json","vulnerability_id":"VCID-kw94-d9qx-3qf9","summary":"n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62726","reference_id":"","reference_type":"","scores":[{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44936","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.4495","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44935","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44785","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62726"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/pull/19559","reference_id":"19559","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-31T18:19:00Z/"}],"url":"https://github.com/n8n-io/n8n/pull/19559"},{"reference_url":"https://github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997","reference_id":"5bf3db5ba84d3195bbe11bbd3c62f7086e090997","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-31T18:19:00Z/"}],"url":"https://github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62726","reference_id":"CVE-2025-62726","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62726"},{"reference_url":"https://github.com/advisories/GHSA-xgp7-7qjq-vg47","reference_id":"GHSA-xgp7-7qjq-vg47","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xgp7-7qjq-vg47"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47","reference_id":"GHSA-xgp7-7qjq-vg47","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-31T18:19:00Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34928?format=json","purl":"pkg:npm/n8n@1.113.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.113.0"}],"aliases":["CVE-2025-62726","GHSA-xgp7-7qjq-vg47"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kw94-d9qx-3qf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360286?format=json","vulnerability_id":"VCID-n38u-498z-gke2","summary":"n8n Has an XML Node Prototype Pollution Patch Bypass\n## Impact\nAn authenticated user with permission to create or modify workflows could bypass the patch for GHSA-hqr4-h3xv-9m3r in the XML node. When combined with other nodes, this could lead to RCE on the n8n host.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.43, 2.20.7, and 2.22.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.\n\n---\nn8n has adopted CVSS 4.0 as primary score for all security advisories. CVSS 3.1 vector strings are provided for backwards compatibility.\n\nCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44791","reference_id":"","reference_type":"","scores":[{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14683","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14711","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00046","scoring_system":"epss","scoring_elements":"0.14713","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44791"},{"reference_url":"https://github.com/advisories/GHSA-hqr4-h3xv-9m3r","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hqr4-h3xv-9m3r"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-wrwr-h859-xh2r"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44791","reference_id":"CVE-2026-44791","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44791"},{"reference_url":"https://github.com/advisories/GHSA-wrwr-h859-xh2r","reference_id":"GHSA-wrwr-h859-xh2r","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wrwr-h859-xh2r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375471?format=json","purl":"pkg:npm/n8n@1.123.43","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.43"},{"url":"http://public2.vulnerablecode.io/api/packages/375473?format=json","purl":"pkg:npm/n8n@2.20.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.20.7"},{"url":"http://public2.vulnerablecode.io/api/packages/375472?format=json","purl":"pkg:npm/n8n@2.22.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.22.1"}],"aliases":["CVE-2026-44791","GHSA-wrwr-h859-xh2r"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n38u-498z-gke2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/127969?format=json","vulnerability_id":"VCID-nh3d-mzxr-j7dy","summary":"n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0. This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface. This issue has been patched in version 1.114.0. Workarounds for this issue involve restricting workflow creation and modification privileges to trusted users only, avoiding use of untrusted HTML responses in the “Respond to Webhook” node, and using an external reverse proxy or HTML sanitizer to filter responses that include executable scripts.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61914","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00707","published_at":"2026-06-14T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00701","published_at":"2026-06-13T12:55:00Z"},{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00703","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61914"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61914","reference_id":"CVE-2025-61914","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61914"},{"reference_url":"https://github.com/advisories/GHSA-58jc-rcg5-95f3","reference_id":"GHSA-58jc-rcg5-95f3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-58jc-rcg5-95f3"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-58jc-rcg5-95f3","reference_id":"GHSA-58jc-rcg5-95f3","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-26T21:54:28Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-58jc-rcg5-95f3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36368?format=json","purl":"pkg:npm/n8n@1.114.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.114.0"}],"aliases":["CVE-2025-61914","GHSA-58jc-rcg5-95f3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nh3d-mzxr-j7dy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70296?format=json","vulnerability_id":"VCID-nhbw-hcq1-b3em","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42227","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11895","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11872","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11812","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11896","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42227"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42227","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42227"},{"reference_url":"https://github.com/advisories/GHSA-756q-gq9h-fp22","reference_id":"GHSA-756q-gq9h-fp22","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-756q-gq9h-fp22"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22","reference_id":"GHSA-756q-gq9h-fp22","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:08:26Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42227","GHSA-756q-gq9h-fp22"],"risk_score":3.5,"exploitability":"0.5","weighted_severity":"6.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nhbw-hcq1-b3em"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70393?format=json","vulnerability_id":"VCID-nva1-tjfr-ckb5","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state could attach to that execution, receive the pending prompt intended for the legitimate user, and submit arbitrary input to resume or influence downstream workflow behavior. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42228","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25694","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25679","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25477","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25675","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42228"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42228","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42228"},{"reference_url":"https://github.com/advisories/GHSA-f77h-j2v7-g6mw","reference_id":"GHSA-f77h-j2v7-g6mw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f77h-j2v7-g6mw"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f77h-j2v7-g6mw","reference_id":"GHSA-f77h-j2v7-g6mw","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T13:47:46Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f77h-j2v7-g6mw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42228","GHSA-f77h-j2v7-g6mw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nva1-tjfr-ckb5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79889?format=json","vulnerability_id":"VCID-p2w8-9t9n-7baw","summary":"n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could exploit a vulnerability in the JavaScript Task Runner sandbox to execute arbitrary code outside the sandbox boundary. On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to limit the blast radius. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27495","reference_id":"","reference_type":"","scores":[{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.2809","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.27879","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28077","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.28102","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27495"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27495","reference_id":"CVE-2026-27495","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27495"},{"reference_url":"https://github.com/advisories/GHSA-jjpj-p2wh-qf23","reference_id":"GHSA-jjpj-p2wh-qf23","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jjpj-p2wh-qf23"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23","reference_id":"GHSA-jjpj-p2wh-qf23","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22","reference_id":"n8n@1.123.22","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1","reference_id":"n8n@2.10.1","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3","reference_id":"n8n@2.9.3","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3"},{"reference_url":"https://docs.n8n.io/hosting/configuration/task-runners","reference_id":"task-runners","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/"}],"url":"https://docs.n8n.io/hosting/configuration/task-runners"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27495","GHSA-jjpj-p2wh-qf23"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p2w8-9t9n-7baw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79999?format=json","vulnerability_id":"VCID-qrf6-n324-ybbj","summary":"n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27497","reference_id":"","reference_type":"","scores":[{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22844","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.23029","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.23052","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.23041","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27497"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27497","reference_id":"CVE-2026-27497","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27497"},{"reference_url":"https://github.com/advisories/GHSA-wxx7-mcgf-j869","reference_id":"GHSA-wxx7-mcgf-j869","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wxx7-mcgf-j869"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869","reference_id":"GHSA-wxx7-mcgf-j869","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22","reference_id":"n8n@1.123.22","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1","reference_id":"n8n@2.10.1","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3","reference_id":"n8n@2.9.3","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27497","GHSA-wxx7-mcgf-j869"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qrf6-n324-ybbj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360046?format=json","vulnerability_id":"VCID-r89t-ywcr-kbev","summary":"n8n has a Stored XSS Vulnerability in its Form Trigger\n## Impact\nAn authenticated user with permission to create or modify workflows could exploit a flaw in the Form Trigger node's CSS sanitization to store a cross-site scripting (XSS) payload. The injected script executes persistently for every visitor of the published form, enabling form submission hijacking and phishing. The existing Content Security Policy prevents direct n8n session cookie theft but does not prevent script execution or form action manipulation.\n\n## Patches\nThe issue has been fixed in n8n versions 2.12.0, 2.11.2, and 1.123.25. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-q4fm-pjq6-m63g","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-q4fm-pjq6-m63g"},{"reference_url":"https://github.com/advisories/GHSA-q4fm-pjq6-m63g","reference_id":"GHSA-q4fm-pjq6-m63g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q4fm-pjq6-m63g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374746?format=json","purl":"pkg:npm/n8n@1.123.25","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.25"},{"url":"http://public2.vulnerablecode.io/api/packages/374745?format=json","purl":"pkg:npm/n8n@2.11.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.11.2"}],"aliases":["GHSA-q4fm-pjq6-m63g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r89t-ywcr-kbev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80281?format=json","vulnerability_id":"VCID-ra9y-br8w-k7au","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.22, 2.9.3, and 2.10.1, an authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data from the same Node.js process — including data from prior requests, tasks, secrets, or tokens — resulting in information disclosure of sensitive in-process data. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. In external runner mode, the impact is limited to data within the external runner process. The issue has been fixed in n8n versions 1.123.22, 2.10.1 , and 2.9.3. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to isolate the runner process. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27496","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12722","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12805","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12814","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12824","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27496"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27496","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27496"},{"reference_url":"https://docs.n8n.io/hosting/securing/blocking-nodes","reference_id":"blocking-nodes","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:08:59Z/"}],"url":"https://docs.n8n.io/hosting/securing/blocking-nodes"},{"reference_url":"https://github.com/advisories/GHSA-xvh5-5qg4-x9qp","reference_id":"GHSA-xvh5-5qg4-x9qp","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xvh5-5qg4-x9qp"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-xvh5-5qg4-x9qp","reference_id":"GHSA-xvh5-5qg4-x9qp","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:08:59Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-xvh5-5qg4-x9qp"},{"reference_url":"https://docs.n8n.io/hosting/configuration/task-runners","reference_id":"task-runners","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:08:59Z/"}],"url":"https://docs.n8n.io/hosting/configuration/task-runners"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27496","GHSA-xvh5-5qg4-x9qp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ra9y-br8w-k7au"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70284?format=json","vulnerability_id":"VCID-rq3f-24px-ykfk","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks \"Deny\" on the consent page, they are silently redirected to an external site. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42230","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17922","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17771","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17947","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17931","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42230"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42230","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42230"},{"reference_url":"https://github.com/advisories/GHSA-f6x8-65q6-j9m9","reference_id":"GHSA-f6x8-65q6-j9m9","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f6x8-65q6-j9m9"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f6x8-65q6-j9m9","reference_id":"GHSA-f6x8-65q6-j9m9","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:55:49Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f6x8-65q6-j9m9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42230","GHSA-f6x8-65q6-j9m9"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rq3f-24px-ykfk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65944?format=json","vulnerability_id":"VCID-s86a-mpj9-dfhg","summary":"n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25056","reference_id":"","reference_type":"","scores":[{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45514","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.4551","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45523","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45364","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25056"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25056","reference_id":"CVE-2026-25056","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25056"},{"reference_url":"https://github.com/advisories/GHSA-hv53-3329-vmrm","reference_id":"GHSA-hv53-3329-vmrm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hv53-3329-vmrm"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm","reference_id":"GHSA-hv53-3329-vmrm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:17Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38758?format=json","purl":"pkg:npm/n8n@1.118.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.118.0"},{"url":"http://public2.vulnerablecode.io/api/packages/38755?format=json","purl":"pkg:npm/n8n@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0"}],"aliases":["CVE-2026-25056","GHSA-hv53-3329-vmrm"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s86a-mpj9-dfhg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212671?format=json","vulnerability_id":"VCID-s8p4-nts1-2fh2","summary":"n8n has an SSO Enforcement Bypass in its Self-Service Settings API","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/a70b2ea379086da3de103bb84811e88cadf29976","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/a70b2ea379086da3de103bb84811e88cadf29976"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.8.0","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.8.0"},{"reference_url":"https://github.com/advisories/GHSA-vjf3-2gpj-233v","reference_id":"GHSA-vjf3-2gpj-233v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vjf3-2gpj-233v"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vjf3-2gpj-233v","reference_id":"GHSA-vjf3-2gpj-233v","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vjf3-2gpj-233v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39942?format=json","purl":"pkg:npm/n8n@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.8.0"}],"aliases":["GHSA-vjf3-2gpj-233v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s8p4-nts1-2fh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97986?format=json","vulnerability_id":"VCID-ssr2-5x7e-9uf7","summary":"n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query parameter. This may lead to phishing attacks by impersonating the n8n UI on lookalike domains (e.g., n8n.local.evil.com), credential or 2FA theft if users are tricked into re-entering sensitive information, and/or reputation risk due to the visual similarity between attacker-controlled domains and trusted ones. The vulnerability affects anyone hosting n8n and exposing the `/signin` endpoint to users. The issue has been patched in version 1.98.0. All users should upgrade to this version or later. The fix introduces strict origin validation for redirect URLs, ensuring only same-origin or relative paths are allowed after login.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49592","reference_id":"","reference_type":"","scores":[{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39294","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39477","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39464","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39489","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49592"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49592","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49592"},{"reference_url":"https://github.com/n8n-io/n8n/pull/16034","reference_id":"16034","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/"}],"url":"https://github.com/n8n-io/n8n/pull/16034"},{"reference_url":"https://github.com/n8n-io/n8n/commit/4865d1e360a0fe7b045e295b5e1a29daad12314e","reference_id":"4865d1e360a0fe7b045e295b5e1a29daad12314e","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/"}],"url":"https://github.com/n8n-io/n8n/commit/4865d1e360a0fe7b045e295b5e1a29daad12314e"},{"reference_url":"https://github.com/advisories/GHSA-5vj6-wjr7-5v9f","reference_id":"GHSA-5vj6-wjr7-5v9f","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5vj6-wjr7-5v9f"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-5vj6-wjr7-5v9f","reference_id":"GHSA-5vj6-wjr7-5v9f","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-5vj6-wjr7-5v9f"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0","reference_id":"n8n%401.98.0","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378583?format=json","purl":"pkg:npm/n8n@1.98.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-727u-nmx9-xuf3"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-et9c-dh4q-3qcy"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-fy3d-ykem-3fgr"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-kw94-d9qx-3qf9"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-vht4-48cx-c7gu"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"},{"vulnerability":"VCID-xsuv-1w6k-akeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.98.0"}],"aliases":["CVE-2025-49592","GHSA-5vj6-wjr7-5v9f"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ssr2-5x7e-9uf7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212287?format=json","vulnerability_id":"VCID-st8g-2xn4-97b9","summary":"n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/advisories/GHSA-365g-vjw2-grx8","reference_id":"GHSA-365g-vjw2-grx8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-365g-vjw2-grx8"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-365g-vjw2-grx8","reference_id":"GHSA-365g-vjw2-grx8","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-365g-vjw2-grx8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/863927?format=json","purl":"pkg:npm/n8n@1.115.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.115.0"}],"aliases":["GHSA-365g-vjw2-grx8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-st8g-2xn4-97b9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70188?format=json","vulnerability_id":"VCID-su1t-s9q1-h7am","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42229","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.20087","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.20063","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19896","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.20068","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42229"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42229","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42229"},{"reference_url":"https://github.com/advisories/GHSA-mp4j-h6gh-f6mp","reference_id":"GHSA-mp4j-h6gh-f6mp","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mp4j-h6gh-f6mp"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp","reference_id":"GHSA-mp4j-h6gh-f6mp","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T15:00:08Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42229","GHSA-mp4j-h6gh-f6mp"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-su1t-s9q1-h7am"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360180?format=json","vulnerability_id":"VCID-ty34-7aqe-27gv","summary":"n8n has XSS in Chat Trigger Node through Custom CSS\n## Impact\nAn authenticated user with permission to create or modify workflows could inject malicious JavaScript into the Custom CSS field of the Chat Trigger node. Due to a misconfiguration in the `sanitize-html` library, the sanitization could be bypassed, resulting in stored XSS on the public chat page. Any user visiting the chat URL would be affected.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-3c7f-5hgj-h279","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-3c7f-5hgj-h279"},{"reference_url":"https://github.com/advisories/GHSA-3c7f-5hgj-h279","reference_id":"GHSA-3c7f-5hgj-h279","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3c7f-5hgj-h279"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["GHSA-3c7f-5hgj-h279"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ty34-7aqe-27gv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79873?format=json","vulnerability_id":"VCID-ubn7-w3vz-hqgb","summary":"n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could use the Python Code node to escape the sandbox. The sandbox did not sufficiently restrict access to certain built-in Python objects, allowing an attacker to exfiltrate file contents or achieve RCE. On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only., and/or disable the Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27494","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25578","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25792","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25776","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27494"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27494","reference_id":"CVE-2026-27494","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27494"},{"reference_url":"https://github.com/advisories/GHSA-mmgg-m5j7-f83h","reference_id":"GHSA-mmgg-m5j7-f83h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mmgg-m5j7-f83h"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mmgg-m5j7-f83h","reference_id":"GHSA-mmgg-m5j7-f83h","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mmgg-m5j7-f83h"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22","reference_id":"n8n@1.123.22","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1","reference_id":"n8n@2.10.1","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3","reference_id":"n8n@2.9.3","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27494","GHSA-mmgg-m5j7-f83h"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"8.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ubn7-w3vz-hqgb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78017?format=json","vulnerability_id":"VCID-umut-3bp5-y3eq","summary":"n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. The issue has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, and/or review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression that incorporates external or user-supplied input. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33713","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06754","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06737","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06746","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06765","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33713"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33713","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33713"},{"reference_url":"https://github.com/advisories/GHSA-98c2-4cr3-4jc3","reference_id":"GHSA-98c2-4cr3-4jc3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-98c2-4cr3-4jc3"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3","reference_id":"GHSA-98c2-4cr3-4jc3","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T17:58:32Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374757?format=json","purl":"pkg:npm/n8n@1.123.26","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.26"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33713","GHSA-98c2-4cr3-4jc3"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"8.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-umut-3bp5-y3eq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70587?format=json","vulnerability_id":"VCID-v4ft-nvxq-cyhy","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and use that credential in a helper execution path where the caller also controls the destination URL. This allowed the caller to force the backend to authenticate against attacker-controlled infrastructure using a credential belonging to another user, effectively exfiltrating a reusable API key. The issue is not limited to any single node type; any node that resolves credentials dynamically through these endpoints may be affected. This issue has been patched in versions 1.123.33, 2.17.5, and 2.18.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42226","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20379","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20355","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20183","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20359","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42226"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:L/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42226","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:L/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42226"},{"reference_url":"https://github.com/advisories/GHSA-r4v6-9fqc-w5jr","reference_id":"GHSA-r4v6-9fqc-w5jr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r4v6-9fqc-w5jr"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr","reference_id":"GHSA-r4v6-9fqc-w5jr","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:L/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:41:42Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373721?format=json","purl":"pkg:npm/n8n@1.123.33","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.33"},{"url":"http://public2.vulnerablecode.io/api/packages/373720?format=json","purl":"pkg:npm/n8n@2.17.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.5"}],"aliases":["CVE-2026-42226","GHSA-r4v6-9fqc-w5jr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v4ft-nvxq-cyhy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74537?format=json","vulnerability_id":"VCID-v6z9-pvhr-k7d2","summary":"n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21894","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06613","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.0663","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06642","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.0662","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21894"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/pull/22764","reference_id":"22764","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:42:25Z/"}],"url":"https://github.com/n8n-io/n8n/pull/22764"},{"reference_url":"https://github.com/n8n-io/n8n/commit/a61a5991093c41863506888336e808ac1eff8d59","reference_id":"a61a5991093c41863506888336e808ac1eff8d59","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:42:25Z/"}],"url":"https://github.com/n8n-io/n8n/commit/a61a5991093c41863506888336e808ac1eff8d59"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21894","reference_id":"CVE-2026-21894","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21894"},{"reference_url":"https://github.com/advisories/GHSA-jf52-3f2h-h9j5","reference_id":"GHSA-jf52-3f2h-h9j5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jf52-3f2h-h9j5"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jf52-3f2h-h9j5","reference_id":"GHSA-jf52-3f2h-h9j5","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:42:25Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jf52-3f2h-h9j5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36597?format=json","purl":"pkg:npm/n8n@2.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.2.2"}],"aliases":["CVE-2026-21894","GHSA-jf52-3f2h-h9j5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v6z9-pvhr-k7d2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105067?format=json","vulnerability_id":"VCID-vht4-48cx-c7gu","summary":"n8n is a workflow automation platform. Prior to version 1.99.1, an authorization vulnerability was discovered in the /rest/executions/:id/stop endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading to potential business disruption. This issue has been patched in version 1.99.1. A workaround involves restricting access to the /rest/executions/:id/stop endpoint via reverse proxy or API gateway.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-52554","reference_id":"","reference_type":"","scores":[{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.5618","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.56059","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.56194","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.56183","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-52554"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-52554","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-52554"},{"reference_url":"https://github.com/n8n-io/n8n/pull/16405","reference_id":"16405","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/"}],"url":"https://github.com/n8n-io/n8n/pull/16405"},{"reference_url":"https://github.com/dudanogueira/n8n/commit/ca2f90c7fbaa1d661ade2f45d587d9469bc287e1","reference_id":"ca2f90c7fbaa1d661ade2f45d587d9469bc287e1","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/"}],"url":"https://github.com/dudanogueira/n8n/commit/ca2f90c7fbaa1d661ade2f45d587d9469bc287e1"},{"reference_url":"https://github.com/n8n-io/n8n/commit/e5edc60e344924230baafb11fa1f0af788e9ca9a","reference_id":"e5edc60e344924230baafb11fa1f0af788e9ca9a","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/"}],"url":"https://github.com/n8n-io/n8n/commit/e5edc60e344924230baafb11fa1f0af788e9ca9a"},{"reference_url":"https://github.com/advisories/GHSA-gq57-v332-7666","reference_id":"GHSA-gq57-v332-7666","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gq57-v332-7666"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-gq57-v332-7666","reference_id":"GHSA-gq57-v332-7666","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-gq57-v332-7666"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378426?format=json","purl":"pkg:npm/n8n@1.99.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-et9c-dh4q-3qcy"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-kw94-d9qx-3qf9"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"},{"vulnerability":"VCID-xsuv-1w6k-akeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.99.1"}],"aliases":["CVE-2025-52554","GHSA-gq57-v332-7666"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vht4-48cx-c7gu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65839?format=json","vulnerability_id":"VCID-wbd6-q158-8khm","summary":"n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. This issue has been patched in version 2.4.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25115","reference_id":"","reference_type":"","scores":[{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22877","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22857","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.22866","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.2267","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25115"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/8607d372f78c388bb3691d9d5b52af7259ec7b1f","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/8607d372f78c388bb3691d9d5b52af7259ec7b1f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25115","reference_id":"CVE-2026-25115","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25115"},{"reference_url":"https://github.com/advisories/GHSA-8398-gmmx-564h","reference_id":"GHSA-8398-gmmx-564h","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8398-gmmx-564h"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h","reference_id":"GHSA-8398-gmmx-564h","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:16Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38759?format=json","purl":"pkg:npm/n8n@2.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.8"}],"aliases":["CVE-2026-25115","GHSA-8398-gmmx-564h"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wbd6-q158-8khm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212665?format=json","vulnerability_id":"VCID-wg96-fujy-33db","summary":"n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/f73fae6fe7fc34907bba102648a9997186aa4385","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/f73fae6fe7fc34907bba102648a9997186aa4385"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n%402.4.0","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n%402.4.0"},{"reference_url":"https://github.com/advisories/GHSA-f3f2-mcxc-pwjx","reference_id":"GHSA-f3f2-mcxc-pwjx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f3f2-mcxc-pwjx"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx","reference_id":"GHSA-f3f2-mcxc-pwjx","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38755?format=json","purl":"pkg:npm/n8n@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0"}],"aliases":["GHSA-f3f2-mcxc-pwjx"],"risk_score":3.7,"exploitability":"0.5","weighted_severity":"7.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wg96-fujy-33db"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70648?format=json","vulnerability_id":"VCID-wte4-73wa-53fx","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42234","reference_id":"","reference_type":"","scores":[{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26644","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26629","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26427","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26628","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42234"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42234","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42234"},{"reference_url":"https://github.com/advisories/GHSA-44v6-jhgm-p3m4","reference_id":"GHSA-44v6-jhgm-p3m4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-44v6-jhgm-p3m4"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-44v6-jhgm-p3m4","reference_id":"GHSA-44v6-jhgm-p3m4","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T03:56:38Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-44v6-jhgm-p3m4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42234","GHSA-44v6-jhgm-p3m4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wte4-73wa-53fx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70634?format=json","vulnerability_id":"VCID-x1jy-nk1c-6uak","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42231","reference_id":"","reference_type":"","scores":[{"value":"0.00471","scoring_system":"epss","scoring_elements":"0.65163","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00471","scoring_system":"epss","scoring_elements":"0.65171","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00471","scoring_system":"epss","scoring_elements":"0.65062","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00471","scoring_system":"epss","scoring_elements":"0.65174","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42231"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42231","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42231"},{"reference_url":"https://github.com/advisories/GHSA-q5f4-99jv-pgg5","reference_id":"GHSA-q5f4-99jv-pgg5","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q5f4-99jv-pgg5"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5","reference_id":"GHSA-q5f4-99jv-pgg5","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"10.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-04T20:17:57Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-n38u-498z-gke2"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42231","GHSA-q5f4-99jv-pgg5"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x1jy-nk1c-6uak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97058?format=json","vulnerability_id":"VCID-x83e-tmz3-rqd8","summary":"n8n is a workflow automation platform. Prior to version 1.90.0, n8n is vulnerable to stored cross-site scripting (XSS) through the attachments view endpoint. n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there is no restriction on the MIME type of uploaded files, and the MIME type could be controlled via a GET parameter. This allows the server to respond with any MIME type, potentially enabling malicious content to be interpreted and executed by the browser. An authenticated attacker with member-level permissions could exploit this by uploading a crafted HTML file containing malicious JavaScript. When another user visits the binary data endpoint with the MIME type set to text/html, the script executes in the context of the user’s session. This script could send a request to change the user’s email address in their account settings, effectively enabling account takeover. This issue has been patched in version 1.90.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46343","reference_id":"","reference_type":"","scores":[{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54525","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54651","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.5465","published_at":"2026-06-12T12:55:00Z"},{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54667","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46343"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46343","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46343"},{"reference_url":"https://github.com/n8n-io/n8n/pull/14350","reference_id":"14350","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/"}],"url":"https://github.com/n8n-io/n8n/pull/14350"},{"reference_url":"https://github.com/n8n-io/n8n/pull/14685","reference_id":"14685","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/"}],"url":"https://github.com/n8n-io/n8n/pull/14685"},{"reference_url":"https://github.com/advisories/GHSA-c8hm-hr8h-5xjw","reference_id":"GHSA-c8hm-hr8h-5xjw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c8hm-hr8h-5xjw"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-c8hm-hr8h-5xjw","reference_id":"GHSA-c8hm-hr8h-5xjw","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-c8hm-hr8h-5xjw"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.90.0","reference_id":"n8n%401.90.0","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.90.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376319?format=json","purl":"pkg:npm/n8n@1.90.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-727u-nmx9-xuf3"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-et9c-dh4q-3qcy"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-fy3d-ykem-3fgr"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-kw94-d9qx-3qf9"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ssr2-5x7e-9uf7"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-vht4-48cx-c7gu"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"},{"vulnerability":"VCID-xsuv-1w6k-akeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.90.0"}],"aliases":["CVE-2025-46343","GHSA-c8hm-hr8h-5xjw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x83e-tmz3-rqd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212666?format=json","vulnerability_id":"VCID-xf7g-p8s2-rqbj","summary":"n8n: Webhook Forgery on Github Webhook Trigger","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/a19347a6bc9a96d5065ac77d25a811e46178c578","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/a19347a6bc9a96d5065ac77d25a811e46178c578"},{"reference_url":"https://github.com/n8n-io/n8n/commit/afe322325502f448b33bff1db1575e4447c28a36","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/afe322325502f448b33bff1db1575e4447c28a36"},{"reference_url":"https://github.com/advisories/GHSA-mqpr-49jj-32rc","reference_id":"GHSA-mqpr-49jj-32rc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mqpr-49jj-32rc"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc","reference_id":"GHSA-mqpr-49jj-32rc","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39918?format=json","purl":"pkg:npm/n8n@1.123.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.15"},{"url":"http://public2.vulnerablecode.io/api/packages/38208?format=json","purl":"pkg:npm/n8n@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0"}],"aliases":["GHSA-mqpr-49jj-32rc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xf7g-p8s2-rqbj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78081?format=json","vulnerability_id":"VCID-xnnq-fzcn-7fbg","summary":"n8n is an open source workflow automation platform. Prior to versions 2.4.0 and 1.121.0, when LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account's email. An authenticated LDAP user who could control their own LDAP email attribute could set it to match another user's email — including an administrator's — and upon login gain full access to that account. The account linkage persisted even if the LDAP email was later reverted, resulting in a permanent account takeover. LDAP authentication must be configured and active (non-default). The issue has been fixed in n8n versions 2.4.0 and 1.121.0. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable LDAP authentication until the instance can be upgraded, restrict LDAP directory permissions so that users cannot modify their own email attributes, and/or audit existing LDAP-linked accounts for unexpected account associations. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33665","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09179","published_at":"2026-06-13T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09166","published_at":"2026-06-14T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09122","published_at":"2026-06-11T12:55:00Z"},{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09178","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33665"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33665","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33665"},{"reference_url":"https://github.com/advisories/GHSA-c545-x2rh-82fc","reference_id":"GHSA-c545-x2rh-82fc","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c545-x2rh-82fc"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc","reference_id":"GHSA-c545-x2rh-82fc","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T14:55:43Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36331?format=json","purl":"pkg:npm/n8n@1.121.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.121.0"},{"url":"http://public2.vulnerablecode.io/api/packages/38755?format=json","purl":"pkg:npm/n8n@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-63pn-hppa-13bx"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-7fn6-gvxs-wygq"},{"vulnerability":"VCID-8zpu-gnub-2bb8"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-hx1p-thnm-4ud4"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-n38u-498z-gke2"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0"}],"aliases":["CVE-2026-33665","GHSA-c545-x2rh-82fc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xnnq-fzcn-7fbg"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@0.195.1"}