{"url":"http://public2.vulnerablecode.io/api/packages/796342?format=json","purl":"pkg:npm/n8n@1.0.5","type":"npm","namespace":"","name":"n8n","version":"1.0.5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.123.33","latest_non_vulnerable_version":"2.22.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70598?format=json","vulnerability_id":"VCID-17dc-5ubt-g3e1","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, and update keys into query strings without identifier escaping, enabling SQL injection against the connected database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42237","reference_id":"","reference_type":"","scores":[{"value":"0.00037","scoring_system":"epss","scoring_elements":"0.11412","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42237"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42237","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42237"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx","reference_id":"GHSA-f3f2-mcxc-pwjx","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx"},{"reference_url":"https://github.com/advisories/GHSA-hp3c-vfpm-q4f7","reference_id":"GHSA-hp3c-vfpm-q4f7","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-hp3c-vfpm-q4f7"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7","reference_id":"GHSA-hp3c-vfpm-q4f7","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T20:17:33Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hp3c-vfpm-q4f7"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42237","GHSA-hp3c-vfpm-q4f7"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-17dc-5ubt-g3e1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77657?format=json","vulnerability_id":"VCID-18zg-q45k-d3f3","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration. The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook). The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the LDAP node by adding `n8n-nodes-base.ldap` to the `NODES_EXCLUDE` environment variable, and/or avoid passing unvalidated external user input into LDAP node search parameters via expressions. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33751","reference_id":"","reference_type":"","scores":[{"value":"0.00019","scoring_system":"epss","scoring_elements":"0.05308","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33751"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33751","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33751"},{"reference_url":"https://github.com/advisories/GHSA-w83q-mcmx-mh42","reference_id":"GHSA-w83q-mcmx-mh42","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w83q-mcmx-mh42"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42","reference_id":"GHSA-w83q-mcmx-mh42","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T19:10:55Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33751","GHSA-w83q-mcmx-mh42"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-18zg-q45k-d3f3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360053?format=json","vulnerability_id":"VCID-1rt1-y3w9-skc7","summary":"n8n has XSS in its Credential Management Flow\n## Impact\nAn authenticated user with permission to create and share credentials could craft a malicious OAuth2 credential containing a JavaScript URL in the Authorization URL field. If a victim opened the credential and interacted with the OAuth authorization button, the injected script would execute in their browser session.\n\n## Patches\nThe issue has been fixed in n8n versions 2.8.0 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit credential creation and sharing permissions to fully trusted users only.\n- Restrict access to the n8n instance to trusted users only.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"4.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-364x-8g5j-x2pr"},{"reference_url":"https://github.com/advisories/GHSA-364x-8g5j-x2pr","reference_id":"GHSA-364x-8g5j-x2pr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-364x-8g5j-x2pr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374624?format=json","purl":"pkg:npm/n8n@2.6.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.6.4"},{"url":"http://public2.vulnerablecode.io/api/packages/39942?format=json","purl":"pkg:npm/n8n@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.8.0"}],"aliases":["GHSA-364x-8g5j-x2pr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-1rt1-y3w9-skc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360207?format=json","vulnerability_id":"VCID-2kxv-vwc7-3ubf","summary":"n8n: Authenticated XSS and Open Redirect via Form Node\n## Impact\nAn authenticated user with permission to create or modify workflows could configure a Form Node with an unsanitized HTML description field or exploit an overly permissive iframe sandbox policy to perform stored cross-site scripting or redirect end users visiting the form to an arbitrary external URL. The vulnerability could be used to facilitate phishing attacks.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.24, 2.10.4 and 2.12.0. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Form node by adding `n8n-nodes-base.form` to the `NODES_EXCLUDE` environment variable.\n- Disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-w673-8fjw-457c","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-w673-8fjw-457c"},{"reference_url":"https://github.com/advisories/GHSA-w673-8fjw-457c","reference_id":"GHSA-w673-8fjw-457c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w673-8fjw-457c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375283?format=json","purl":"pkg:npm/n8n@1.123.24","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.24"},{"url":"http://public2.vulnerablecode.io/api/packages/375282?format=json","purl":"pkg:npm/n8n@2.10.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.4"},{"url":"http://public2.vulnerablecode.io/api/packages/375281?format=json","purl":"pkg:npm/n8n@2.12.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.12.0"}],"aliases":["GHSA-w673-8fjw-457c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2kxv-vwc7-3ubf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70609?format=json","vulnerability_id":"VCID-39dw-4b5k-1bae","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via the XML Node leading to RCE when combined with other nodes exploiting the prototype pollution. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42232","reference_id":"","reference_type":"","scores":[{"value":"0.00223","scoring_system":"epss","scoring_elements":"0.45037","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42232"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42232","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42232"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r","reference_id":"GHSA-hqr4-h3xv-9m3r","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-04T19:41:11Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hqr4-h3xv-9m3r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42232","GHSA-hqr4-h3xv-9m3r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-39dw-4b5k-1bae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93481?format=json","vulnerability_id":"VCID-3p4c-nkcn-hkey","summary":"n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: \"[\\\"n8n-nodes-base.code\\\"]\", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68668","reference_id":"","reference_type":"","scores":[{"value":"0.00035","scoring_system":"epss","scoring_elements":"0.10857","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68668"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68668","reference_id":"CVE-2025-68668","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68668"},{"reference_url":"https://www.smartkeyss.com/post/cve-2025-68668-breaking-out-of-the-python-sandbox-in-n8n","reference_id":"CVE-2025-68668-BREAKING-OUT-OF-THE-PYTHON-SANDBOX-IN-N8N","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.smartkeyss.com/post/cve-2025-68668-breaking-out-of-the-python-sandbox-in-n8n"},{"reference_url":"https://github.com/advisories/GHSA-62r4-hw23-cc8v","reference_id":"GHSA-62r4-hw23-cc8v","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-62r4-hw23-cc8v"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v","reference_id":"GHSA-62r4-hw23-cc8v","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-26T21:54:21Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-62r4-hw23-cc8v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36372?format=json","purl":"pkg:npm/n8n@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0"}],"aliases":["CVE-2025-68668","GHSA-62r4-hw23-cc8v"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3p4c-nkcn-hkey"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70147?format=json","vulnerability_id":"VCID-456j-q8xt-57e3","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the Oracle Database node's select operation allowed user-controlled input passed into the Limit field via expressions to be interpolated directly into the SQL query without sanitization or parameterization. In workflows where external input is passed into the Limit field (e.g., from a webhook), an attacker could inject arbitrary SQL and exfiltrate data from the connected Oracle database. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42233","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19896","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42233"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42233","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42233"},{"reference_url":"https://github.com/advisories/GHSA-r6jc-mpqw-m755","reference_id":"GHSA-r6jc-mpqw-m755","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-r6jc-mpqw-m755"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755","reference_id":"GHSA-r6jc-mpqw-m755","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:08:55Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-r6jc-mpqw-m755"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42233","GHSA-r6jc-mpqw-m755"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-456j-q8xt-57e3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70273?format=json","vulnerability_id":"VCID-4crt-c14t-53dq","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute arbitrary JavaScript in the victim's authenticated n8n browser session, enabling credential and session token theft, workflow manipulation, or privilege escalation. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42235","reference_id":"","reference_type":"","scores":[{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.29789","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42235"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42235","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42235"},{"reference_url":"https://github.com/advisories/GHSA-537j-gqpc-p7fq","reference_id":"GHSA-537j-gqpc-p7fq","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-537j-gqpc-p7fq"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq","reference_id":"GHSA-537j-gqpc-p7fq","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T14:39:57Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-537j-gqpc-p7fq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42235","GHSA-537j-gqpc-p7fq"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-4crt-c14t-53dq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74152?format=json","vulnerability_id":"VCID-5c7w-mba9-mucn","summary":"n8n is an open source workflow automation platform. In versions 0.121.2 and below, an authenticated attacker may be able to execute malicious code using the n8n service. This could result in full compromise and can impact both self-hosted and n8n Cloud instances. This issue is fixed in version 1.121.3. Administrators can reduce exposure by disabling the Git node and limiting access for untrusted users, but upgrading to the latest version is recommended.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21877","reference_id":"","reference_type":"","scores":[{"value":"0.05899","scoring_system":"epss","scoring_elements":"0.90808","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21877"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21877","reference_id":"CVE-2026-21877","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21877"},{"reference_url":"https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6","reference_id":"f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-08T18:59:03Z/"}],"url":"https://github.com/n8n-io/n8n/commit/f4b009d00d1f4ba9359b8e8f1c071e3d910a55f6"},{"reference_url":"https://github.com/advisories/GHSA-v364-rw7m-3263","reference_id":"GHSA-v364-rw7m-3263","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v364-rw7m-3263"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263","reference_id":"GHSA-v364-rw7m-3263","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-01-08T18:59:03Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-v364-rw7m-3263"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36555?format=json","purl":"pkg:npm/n8n@1.121.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.121.3"}],"aliases":["CVE-2026-21877","GHSA-v364-rw7m-3263"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5c7w-mba9-mucn"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77880?format=json","vulnerability_id":"VCID-5fsf-m3s8-pfg2","summary":"n8n is an open source workflow automation platform. Prior to versions 2.6.4 and 1.123.23, an authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the `externalSecret:list` permission check and allowed access to secrets stored in connected vaults without admin or owner privileges. This issue requires the instance to have an external secrets vault configured. The attacker must know or be able to guess the name of a target secret. The issue has been fixed in n8n versions 1.123.23 and 2.6.4. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict n8n access to fully trusted users only, and/or disable external secrets integration until the patch can be applied. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33722","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04474","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33722"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33722","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33722"},{"reference_url":"https://github.com/advisories/GHSA-fxcw-h3qj-8m8p","reference_id":"GHSA-fxcw-h3qj-8m8p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-fxcw-h3qj-8m8p"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-fxcw-h3qj-8m8p","reference_id":"GHSA-fxcw-h3qj-8m8p","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"7.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-28T01:28:29Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-fxcw-h3qj-8m8p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374623?format=json","purl":"pkg:npm/n8n@1.123.23","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.23"},{"url":"http://public2.vulnerablecode.io/api/packages/374624?format=json","purl":"pkg:npm/n8n@2.6.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.6.4"}],"aliases":["CVE-2026-33722","GHSA-fxcw-h3qj-8m8p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5fsf-m3s8-pfg2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65724?format=json","vulnerability_id":"VCID-5pjr-smm2-pyav","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n's interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in versions 1.123.9 and 2.2.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25054","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03977","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25054"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25054","reference_id":"CVE-2026-25054","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25054"},{"reference_url":"https://github.com/advisories/GHSA-qpq4-pw7f-pp8w","reference_id":"GHSA-qpq4-pw7f-pp8w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qpq4-pw7f-pp8w"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w","reference_id":"GHSA-qpq4-pw7f-pp8w","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:21Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38752?format=json","purl":"pkg:npm/n8n@1.123.9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.9"},{"url":"http://public2.vulnerablecode.io/api/packages/38754?format=json","purl":"pkg:npm/n8n@2.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.2.1"}],"aliases":["CVE-2026-25054","GHSA-qpq4-pw7f-pp8w"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5pjr-smm2-pyav"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74420?format=json","vulnerability_id":"VCID-63n8-hy1m-3ke5","summary":"n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21893","reference_id":"","reference_type":"","scores":[{"value":"0.0025","scoring_system":"epss","scoring_elements":"0.48668","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21893"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838","reference_id":"ae0669a736cc496beeb296e115267862727ae838","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T19:33:16Z/"}],"url":"https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21893","reference_id":"CVE-2026-21893","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21893"},{"reference_url":"https://github.com/advisories/GHSA-7c4h-vh2m-743m","reference_id":"GHSA-7c4h-vh2m-743m","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7c4h-vh2m-743m"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m","reference_id":"GHSA-7c4h-vh2m-743m","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T19:33:16Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38719?format=json","purl":"pkg:npm/n8n@1.120.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.120.3"}],"aliases":["CVE-2026-21893","GHSA-7c4h-vh2m-743m"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-63n8-hy1m-3ke5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77730?format=json","vulnerability_id":"VCID-6pzv-3t6r-akeq","summary":"n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the XML and the GSuiteAdmin nodes. By supplying a crafted parameters as part of node configuration, an attacker could write attacker-controlled values onto `Object.prototype`. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.27. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the XML node by adding `n8n-nodes-base.xml` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33696","reference_id":"","reference_type":"","scores":[{"value":"0.0021","scoring_system":"epss","scoring_elements":"0.43526","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33696"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33696","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33696"},{"reference_url":"https://github.com/advisories/GHSA-mxrg-77hm-89hv","reference_id":"GHSA-mxrg-77hm-89hv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mxrg-77hm-89hv"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv","reference_id":"GHSA-mxrg-77hm-89hv","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T20:08:10Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33696","GHSA-mxrg-77hm-89hv"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6pzv-3t6r-akeq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212672?format=json","vulnerability_id":"VCID-6xm5-7kq2-xqdm","summary":"n8n has an Authentication Bypass in its Chat Trigger Node","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a"},{"reference_url":"https://github.com/advisories/GHSA-jh8h-6c9q-7gmw","reference_id":"GHSA-jh8h-6c9q-7gmw","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jh8h-6c9q-7gmw"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jh8h-6c9q-7gmw","reference_id":"GHSA-jh8h-6c9q-7gmw","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jh8h-6c9q-7gmw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["GHSA-jh8h-6c9q-7gmw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6xm5-7kq2-xqdm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/98223?format=json","vulnerability_id":"VCID-727u-nmx9-xuf3","summary":"n8n is a workflow automation platform. Prior to version 1.99.0, there is a denial of Service vulnerability in /rest/binary-data endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://). This allows authenticated attackers to cause service unavailability through malformed filesystem URI requests, effecting the /rest/binary-data endpoint and n8n.cloud instances (confirmed HTTP/2 524 timeout responses). Attackers can exploit this by sending GET requests with empty filesystem URIs (filesystem:// or filesystem-v2://) to the /rest/binary-data endpoint, causing resource exhaustion and service disruption. This issue has been patched in version 1.99.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49595","reference_id":"","reference_type":"","scores":[{"value":"0.00293","scoring_system":"epss","scoring_elements":"0.52985","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49595"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49595","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49595"},{"reference_url":"https://github.com/n8n-io/n8n/pull/16229","reference_id":"16229","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T13:10:37Z/"}],"url":"https://github.com/n8n-io/n8n/pull/16229"},{"reference_url":"https://github.com/n8n-io/n8n/commit/43c52a8b4f844e91b02e3cc9df92826a2d7b6052","reference_id":"43c52a8b4f844e91b02e3cc9df92826a2d7b6052","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T13:10:37Z/"}],"url":"https://github.com/n8n-io/n8n/commit/43c52a8b4f844e91b02e3cc9df92826a2d7b6052"},{"reference_url":"https://github.com/advisories/GHSA-pr9r-gxgp-9rm8","reference_id":"GHSA-pr9r-gxgp-9rm8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-pr9r-gxgp-9rm8"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-pr9r-gxgp-9rm8","reference_id":"GHSA-pr9r-gxgp-9rm8","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T13:10:37Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-pr9r-gxgp-9rm8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378487?format=json","purl":"pkg:npm/n8n@1.99.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-et9c-dh4q-3qcy"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-kw94-d9qx-3qf9"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-vht4-48cx-c7gu"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"},{"vulnerability":"VCID-xsuv-1w6k-akeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.99.0"}],"aliases":["CVE-2025-49595","GHSA-pr9r-gxgp-9rm8"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-727u-nmx9-xuf3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78102?format=json","vulnerability_id":"VCID-78yr-xz2p-rkff","summary":"n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could use the Merge node's \"Combine by SQL\" mode to read local files on the n8n host and achieve remote code execution. The AlaSQL sandbox did not sufficiently restrict certain SQL statements, allowing an attacker to access sensitive files on the server or even compromise the instance. The issue has been fixed in n8n versions 2.14.1, 2.13.3, and 1.123.26. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33660","reference_id":"","reference_type":"","scores":[{"value":"0.0008","scoring_system":"epss","scoring_elements":"0.23658","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33660"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33660","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33660"},{"reference_url":"https://github.com/advisories/GHSA-58qr-rcgv-642v","reference_id":"GHSA-58qr-rcgv-642v","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-58qr-rcgv-642v"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v","reference_id":"GHSA-58qr-rcgv-642v","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-03-28T01:26:07Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33660","GHSA-58qr-rcgv-642v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-78yr-xz2p-rkff"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212662?format=json","vulnerability_id":"VCID-95f5-4xkw-yuae","summary":"n8n Vulnerable to Stored XSS via Various Nodes","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27578","reference_id":"","reference_type":"","scores":[{"value":"0.00032","scoring_system":"epss","scoring_elements":"0.09942","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27578"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/062644ef786b6af480afe4a0f12bc6d70040534a"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27578","reference_id":"CVE-2026-27578","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27578"},{"reference_url":"https://github.com/advisories/GHSA-2p9h-rqjw-gm92","reference_id":"GHSA-2p9h-rqjw-gm92","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2p9h-rqjw-gm92"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92","reference_id":"GHSA-2p9h-rqjw-gm92","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-2p9h-rqjw-gm92"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27578","GHSA-2p9h-rqjw-gm92"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-95f5-4xkw-yuae"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66086?format=json","vulnerability_id":"VCID-9bcs-wgnz-m3e8","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of any user on the instance. This issue has been patched in versions 1.123.18 and 2.5.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25052","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06479","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25052"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25052","reference_id":"CVE-2026-25052","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25052"},{"reference_url":"https://github.com/advisories/GHSA-gfvg-qv54-r4pc","reference_id":"GHSA-gfvg-qv54-r4pc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gfvg-qv54-r4pc"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc","reference_id":"GHSA-gfvg-qv54-r4pc","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:20Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38741?format=json","purl":"pkg:npm/n8n@1.123.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.18"},{"url":"http://public2.vulnerablecode.io/api/packages/38208?format=json","purl":"pkg:npm/n8n@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0"}],"aliases":["CVE-2026-25052","GHSA-gfvg-qv54-r4pc"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9bcs-wgnz-m3e8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/93416?format=json","vulnerability_id":"VCID-b5ba-g4u9-jkgx","summary":"n8n is an open source workflow automation platform. Versions starting with 0.211.0 and prior to 1.120.4, 1.121.1, and 1.122.0 contain a critical Remote Code Execution (RCE) vulnerability in their workflow expression evaluation system. Under certain conditions, expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. This issue has been fixed in versions 1.120.4, 1.121.1, and 1.122.0. Users are strongly advised to upgrade to a patched version, which introduces additional safeguards to restrict expression evaluation. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only; and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully eliminate the risk and should only be used as short-term measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68613","reference_id":"","reference_type":"","scores":[{"value":"0.68312","scoring_system":"epss","scoring_elements":"0.98626","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-68613"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://www.akamai.com/blog/security-research/2026/feb/zerobot-malware-targets-n8n-automation-platform","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.akamai.com/blog/security-research/2026/feb/zerobot-malware-targets-n8n-automation-platform"},{"reference_url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68613","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68613"},{"reference_url":"https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79","reference_id":"08f332015153decdda3c37ad4fcb9f7ba13a7c79","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-03-11T17:39:59Z/"}],"url":"https://github.com/n8n-io/n8n/commit/08f332015153decdda3c37ad4fcb9f7ba13a7c79"},{"reference_url":"https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000","reference_id":"1c933358acef527ff61466e53268b41a04be1000","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-03-11T17:39:59Z/"}],"url":"https://github.com/n8n-io/n8n/commit/1c933358acef527ff61466e53268b41a04be1000"},{"reference_url":"https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316","reference_id":"39a2d1d60edde89674ca96dcbb3eb076ffff6316","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-03-11T17:39:59Z/"}],"url":"https://github.com/n8n-io/n8n/commit/39a2d1d60edde89674ca96dcbb3eb076ffff6316"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68613","reference_id":"CVE-2025-68613","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-68613"},{"reference_url":"https://github.com/advisories/GHSA-v98v-ff95-f3cp","reference_id":"GHSA-v98v-ff95-f3cp","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v98v-ff95-f3cp"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp","reference_id":"GHSA-v98v-ff95-f3cp","reference_type":"","scores":[{"value":"10","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Attend","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2026-03-11T17:39:59Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36334?format=json","purl":"pkg:npm/n8n@1.120.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.120.4"},{"url":"http://public2.vulnerablecode.io/api/packages/36332?format=json","purl":"pkg:npm/n8n@1.121.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.121.1"}],"aliases":["CVE-2025-68613","GHSA-v98v-ff95-f3cp"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-b5ba-g4u9-jkgx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/91181?format=json","vulnerability_id":"VCID-c232-fvfd-3fda","summary":"n8n is an open source workflow automation platform. Versions 0.123.1 through 1.119.1 do not have adequate protections to prevent RCE through the project's pre-commit hooks. The Add Config operation allows workflows to set arbitrary Git configuration values, including core.hooksPath, which can point to a malicious Git hook that executes arbitrary commands on the n8n host during subsequent Git operations. Exploitation requires the ability to create or modify an n8n workflow using the Git node. This issue is fixed in version 1.119.2. Workarounds include excluding the Git Node (Docs) and avoiding cloning or interacting with untrusted repositories using the Git Node.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65964","reference_id":"","reference_type":"","scores":[{"value":"0.00033","scoring_system":"epss","scoring_elements":"0.1024","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-65964"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65964","reference_id":"CVE-2025-65964","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-65964"},{"reference_url":"https://github.com/n8n-io/n8n/commit/d5a1171f95f75def5c3ac577707ab913e22aef04","reference_id":"d5a1171f95f75def5c3ac577707ab913e22aef04","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/"}],"url":"https://github.com/n8n-io/n8n/commit/d5a1171f95f75def5c3ac577707ab913e22aef04"},{"reference_url":"https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes","reference_id":"#exclude-nodes","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/"}],"url":"https://n8n-docs.teamlab.info/hosting/securing/blocking-nodes/#exclude-nodes"},{"reference_url":"https://github.com/advisories/GHSA-wpqc-h9wp-chmq","reference_id":"GHSA-wpqc-h9wp-chmq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wpqc-h9wp-chmq"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq","reference_id":"GHSA-wpqc-h9wp-chmq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-wpqc-h9wp-chmq"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.119.2","reference_id":"n8n%401.119.2","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-09T14:18:38Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.119.2"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/35913?format=json","purl":"pkg:npm/n8n@1.119.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.119.2"}],"aliases":["CVE-2025-65964","GHSA-wpqc-h9wp-chmq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c232-fvfd-3fda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65612?format=json","vulnerability_id":"VCID-c4s3-zx71-c7h3","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.10 and 2.5.0, vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host. This issue has been patched in versions 1.123.10 and 2.5.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25053","reference_id":"","reference_type":"","scores":[{"value":"0.00031","scoring_system":"epss","scoring_elements":"0.09532","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25053"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25053","reference_id":"CVE-2026-25053","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25053"},{"reference_url":"https://github.com/advisories/GHSA-9g95-qf3f-ggrw","reference_id":"GHSA-9g95-qf3f-ggrw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9g95-qf3f-ggrw"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw","reference_id":"GHSA-9g95-qf3f-ggrw","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:18Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38744?format=json","purl":"pkg:npm/n8n@1.123.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.10"},{"url":"http://public2.vulnerablecode.io/api/packages/38208?format=json","purl":"pkg:npm/n8n@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0"}],"aliases":["CVE-2026-25053","GHSA-9g95-qf3f-ggrw"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c4s3-zx71-c7h3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77941?format=json","vulnerability_id":"VCID-camv-m2tf-qkac","summary":"n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.27, an authenticated user with the `global:member` role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) belonging to other users on the same instance. The attack abuses a name-based credential resolution path that does not enforce ownership or project scope, combined with a bypass in the credentials permission checker that causes generic HTTP credential types to be skipped during pre-execution validation. Together, these flaws allow a member-role user to resolve another user's credential ID and execute a workflow that decrypts and uses that credential without authorization. Native integration credential types (e.g. `slackApi`, `openAiApi`, `postgres`) are not affected by this issue. This vulnerability affects Community Edition only. Enterprise Edition has additional permission gates on workflow creation and execution that independently block this attack chain. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Restrict instance access to fully trusted users only, and/or audit credentials stored on the instance and rotate any generic HTTP credentials (`httpBasicAuth`, `httpHeaderAuth`, `httpQueryAuth`) that may have been exposed. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33663","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06425","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33663"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33663","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33663"},{"reference_url":"https://github.com/advisories/GHSA-m63j-689w-3j35","reference_id":"GHSA-m63j-689w-3j35","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-m63j-689w-3j35"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35","reference_id":"GHSA-m63j-689w-3j35","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T17:51:35Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33663","GHSA-m63j-689w-3j35"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-camv-m2tf-qkac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78399?format=json","vulnerability_id":"VCID-cxss-9g41-gfb7","summary":"n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime.\n\nAn authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1470","reference_id":"","reference_type":"","scores":[{"value":"0.02265","scoring_system":"epss","scoring_elements":"0.84993","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-1470"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/25c4b9605b420a98d0185a4f01115122a5134d8f","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/25c4b9605b420a98d0185a4f01115122a5134d8f"},{"reference_url":"https://github.com/n8n-io/n8n/commit/30383d86139f3279a698df8d229eadfefe8627f4","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/30383d86139f3279a698df8d229eadfefe8627f4"},{"reference_url":"https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce"},{"reference_url":"https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04","reference_id":"aa4d1e5825829182afa0ad5b81f602638f55fa04","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-27T14:35:25Z/"}],"url":"https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1470","reference_id":"CVE-2026-1470","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1470"},{"reference_url":"https://github.com/advisories/GHSA-5xrp-6693-jjx9","reference_id":"GHSA-5xrp-6693-jjx9","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5xrp-6693-jjx9"},{"reference_url":"https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/","reference_id":"n8n-expression-node-rce","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-27T14:35:25Z/"}],"url":"https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38205?format=json","purl":"pkg:npm/n8n@1.123.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.17"},{"url":"http://public2.vulnerablecode.io/api/packages/38207?format=json","purl":"pkg:npm/n8n@2.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.5"},{"url":"http://public2.vulnerablecode.io/api/packages/38209?format=json","purl":"pkg:npm/n8n@2.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.1"}],"aliases":["CVE-2026-1470","GHSA-5xrp-6693-jjx9"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cxss-9g41-gfb7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66132?format=json","vulnerability_id":"VCID-cy8m-aw8f-zkfx","summary":"n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25051","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03978","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25051"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/ced34c0f93ab4c759a56065965986094d8ef7323","reference_id":"ced34c0f93ab4c759a56065965986094d8ef7323","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:22Z/"}],"url":"https://github.com/n8n-io/n8n/commit/ced34c0f93ab4c759a56065965986094d8ef7323"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25051","reference_id":"CVE-2026-25051","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25051"},{"reference_url":"https://github.com/n8n-io/n8n/commit/e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9","reference_id":"e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:22Z/"}],"url":"https://github.com/n8n-io/n8n/commit/e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9"},{"reference_url":"https://github.com/advisories/GHSA-825q-w924-xhgx","reference_id":"GHSA-825q-w924-xhgx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-825q-w924-xhgx"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx","reference_id":"GHSA-825q-w924-xhgx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:22Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38738?format=json","purl":"pkg:npm/n8n@1.122.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.122.5"},{"url":"http://public2.vulnerablecode.io/api/packages/38734?format=json","purl":"pkg:npm/n8n@1.123.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.2"}],"aliases":["CVE-2026-25051","GHSA-825q-w924-xhgx"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cy8m-aw8f-zkfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212674?format=json","vulnerability_id":"VCID-cyxm-4jde-myc1","summary":"n8n has a Guardrail Node Bypass","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/8d0251d1deef256fd3d9176f05dedab62afde918","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/8d0251d1deef256fd3d9176f05dedab62afde918"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.0","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.0"},{"reference_url":"https://github.com/advisories/GHSA-fvfv-ppw4-7h2w","reference_id":"GHSA-fvfv-ppw4-7h2w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fvfv-ppw4-7h2w"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-fvfv-ppw4-7h2w","reference_id":"GHSA-fvfv-ppw4-7h2w","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-fvfv-ppw4-7h2w"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39883?format=json","purl":"pkg:npm/n8n@2.10.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.0"}],"aliases":["GHSA-fvfv-ppw4-7h2w"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cyxm-4jde-myc1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212675?format=json","vulnerability_id":"VCID-d1rq-nmws-w3fy","summary":"n8n has Webhook Forgery on Zendesk Trigger Node","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/3839e310bd4c3002c646c363d1411916fa195151","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/3839e310bd4c3002c646c363d1411916fa195151"},{"reference_url":"https://github.com/n8n-io/n8n/commit/c6520e4e87614fa60c9433e93019e211f19f65f9","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/c6520e4e87614fa60c9433e93019e211f19f65f9"},{"reference_url":"https://github.com/advisories/GHSA-38c7-23hj-2wgq","reference_id":"GHSA-38c7-23hj-2wgq","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-38c7-23hj-2wgq"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-38c7-23hj-2wgq","reference_id":"GHSA-38c7-23hj-2wgq","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-38c7-23hj-2wgq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38741?format=json","purl":"pkg:npm/n8n@1.123.18","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.18"},{"url":"http://public2.vulnerablecode.io/api/packages/39943?format=json","purl":"pkg:npm/n8n@2.6.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.6.2"}],"aliases":["GHSA-38c7-23hj-2wgq"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d1rq-nmws-w3fy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/77749?format=json","vulnerability_id":"VCID-d5bn-f87r-vka1","summary":"n8n is an open source workflow automation platform. Prior to version 2.8.0, when the `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK` environment variable is set to `true`, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim's OAuth tokens to be stored in the attacker's credential. The attacker can then use those tokens to execute workflows in their name. This issue only affects instances where `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` is explicitly configured (non-default). The issue has been fixed in n8n version 2.8.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Avoid enabling `N8N_SKIP_AUTH_ON_OAUTH_CALLBACK=true` unless strictly required, and/ or restrict access to the n8n instance to fully trusted users only. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33720","reference_id":"","reference_type":"","scores":[{"value":"0.00014","scoring_system":"epss","scoring_elements":"0.02867","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33720"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33720","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33720"},{"reference_url":"https://github.com/advisories/GHSA-vpgc-2f6g-7w7x","reference_id":"GHSA-vpgc-2f6g-7w7x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-vpgc-2f6g-7w7x"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x","reference_id":"GHSA-vpgc-2f6g-7w7x","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:07:38Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39942?format=json","purl":"pkg:npm/n8n@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.8.0"}],"aliases":["CVE-2026-33720","GHSA-vpgc-2f6g-7w7x"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d5bn-f87r-vka1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66101?format=json","vulnerability_id":"VCID-d5s2-xbfd-ukg7","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25049","reference_id":"","reference_type":"","scores":[{"value":"0.00053","scoring_system":"epss","scoring_elements":"0.16895","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25049"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d","reference_id":"7860896909b3d42993a36297f053d2b0e633235d","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:21Z/"}],"url":"https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d"},{"reference_url":"https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b","reference_id":"936c06cfc1ad269a89e8ef7f8ac79c104436d54b","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:21Z/"}],"url":"https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25049","reference_id":"CVE-2026-25049","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25049"},{"reference_url":"https://github.com/advisories/GHSA-6cqr-8cfr-67f8","reference_id":"GHSA-6cqr-8cfr-67f8","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6cqr-8cfr-67f8"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8","reference_id":"GHSA-6cqr-8cfr-67f8","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:21Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38205?format=json","purl":"pkg:npm/n8n@1.123.17","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.17"},{"url":"http://public2.vulnerablecode.io/api/packages/38728?format=json","purl":"pkg:npm/n8n@2.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.2"}],"aliases":["CVE-2026-25049","GHSA-6cqr-8cfr-67f8"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d5s2-xbfd-ukg7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78047?format=json","vulnerability_id":"VCID-d763-b5fk-g3dm","summary":"n8n is an open source workflow automation platform. Prior to version 2.5.0, when the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server could intercept the connection and present a fraudulent host key, potentially injecting malicious content into workflows or intercepting repository data. This issue only affects instances where the Source Control feature has been explicitly enabled and configured to use SSH (non-default). The issue has been fixed in n8n version 2.5.0. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable the Source Control feature if it is not actively required, and/or restrict network access to ensure the n8n instance communicates with the Git server only over trusted, controlled network paths. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33724","reference_id":"","reference_type":"","scores":[{"value":"0.00017","scoring_system":"epss","scoring_elements":"0.04367","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33724"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33724","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33724"},{"reference_url":"https://github.com/advisories/GHSA-43v7-fp2v-68f6","reference_id":"GHSA-43v7-fp2v-68f6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-43v7-fp2v-68f6"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-43v7-fp2v-68f6","reference_id":"GHSA-43v7-fp2v-68f6","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:05:11Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-43v7-fp2v-68f6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38208?format=json","purl":"pkg:npm/n8n@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0"}],"aliases":["CVE-2026-33724","GHSA-43v7-fp2v-68f6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d763-b5fk-g3dm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/66155?format=json","vulnerability_id":"VCID-d7g4-89n1-y7e7","summary":"n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node's credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the \"Allowed domains\" setting. This issue is fixed in version 1.121.0 and later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25631","reference_id":"","reference_type":"","scores":[{"value":"0.00025","scoring_system":"epss","scoring_elements":"0.07508","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25631"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25631","reference_id":"CVE-2026-25631","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25631"},{"reference_url":"https://github.com/advisories/GHSA-2xcx-75h9-vr9h","reference_id":"GHSA-2xcx-75h9-vr9h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2xcx-75h9-vr9h"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h","reference_id":"GHSA-2xcx-75h9-vr9h","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-06T21:06:21Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36331?format=json","purl":"pkg:npm/n8n@1.121.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.121.0"}],"aliases":["CVE-2026-25631","GHSA-2xcx-75h9-vr9h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-d7g4-89n1-y7e7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80280?format=json","vulnerability_id":"VCID-dm6y-ymh9-u3cm","summary":"n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, additional exploits in the expression evaluation of n8n have been identified and patched following CVE-2025-68613. An authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or deploy n8n in a hardened environment with restricted operating system privileges and network access to reduce the impact of potential exploitation. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27577","reference_id":"","reference_type":"","scores":[{"value":"0.00175","scoring_system":"epss","scoring_elements":"0.38836","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27577"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6","reference_id":"1479aab2d32fe0ee087f82b9038b1035c98be2f6","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/"}],"url":"https://github.com/n8n-io/n8n/commit/1479aab2d32fe0ee087f82b9038b1035c98be2f6"},{"reference_url":"https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e","reference_id":"9e5212ecbc5d2d4e6f340b636a5e84be6369882e","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/"}],"url":"https://github.com/n8n-io/n8n/commit/9e5212ecbc5d2d4e6f340b636a5e84be6369882e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27577","reference_id":"CVE-2026-27577","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27577"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp","reference_id":"GHSA-v98v-ff95-f3cp","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-v98v-ff95-f3cp"},{"reference_url":"https://github.com/advisories/GHSA-vpcf-gvg4-6qwr","reference_id":"GHSA-vpcf-gvg4-6qwr","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vpcf-gvg4-6qwr"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr","reference_id":"GHSA-vpcf-gvg4-6qwr","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vpcf-gvg4-6qwr"},{"reference_url":"https://docs.n8n.io/hosting/securing/overview","reference_id":"overview","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:14:18Z/"}],"url":"https://docs.n8n.io/hosting/securing/overview"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27577","GHSA-vpcf-gvg4-6qwr"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dm6y-ymh9-u3cm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/121282?format=json","vulnerability_id":"VCID-et9c-dh4q-3qcy","summary":"n8n is a workflow automation platform. Before 1.106.0, a symlink traversal vulnerability was discovered in the Read/Write File node in n8n. While the node attempts to restrict access to sensitive directories and files, it does not properly account for symbolic links (symlinks). An attacker with the ability to create symlinks—such as by using the Execute Command node—could exploit this to bypass the intended directory restrictions and read from or write to otherwise inaccessible paths. Users of n8n.cloud are not impacted. Affected users should update to version 1.106.0 or later.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57749","reference_id":"","reference_type":"","scores":[{"value":"0.00177","scoring_system":"epss","scoring_elements":"0.39097","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-57749"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/c2c3e08cdf33570d9051e659812cbfbdd3c077fd","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/c2c3e08cdf33570d9051e659812cbfbdd3c077fd"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57749","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-57749"},{"reference_url":"https://github.com/n8n-io/n8n/pull/17735","reference_id":"17735","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-21T14:43:03Z/"}],"url":"https://github.com/n8n-io/n8n/pull/17735"},{"reference_url":"https://github.com/advisories/GHSA-ggjm-f3g4-rwmm","reference_id":"GHSA-ggjm-f3g4-rwmm","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-ggjm-f3g4-rwmm"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-ggjm-f3g4-rwmm","reference_id":"GHSA-ggjm-f3g4-rwmm","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-08-21T14:43:03Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-ggjm-f3g4-rwmm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/377724?format=json","purl":"pkg:npm/n8n@1.106.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-kw94-d9qx-3qf9"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"},{"vulnerability":"VCID-xsuv-1w6k-akeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.106.0"}],"aliases":["CVE-2025-57749","GHSA-ggjm-f3g4-rwmm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-et9c-dh4q-3qcy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78072?format=json","vulnerability_id":"VCID-f8r2-7ab1-w3d8","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The `/rest/binary-data` endpoint served such responses inline on the n8n origin without `Content-Disposition` or `Content-Security-Policy` headers, allowing the HTML to render in the browser with full same-origin JavaScript access. By sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim's authenticated session, enabling exfiltration of workflows and credentials, modification of workflows, or privilege escalation to admin. The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or restrict network access to the n8n instance to prevent untrusted users from accessing binary data URLs. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33749","reference_id":"","reference_type":"","scores":[{"value":"0.0005","scoring_system":"epss","scoring_elements":"0.15914","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33749"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33749","reference_id":"","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33749"},{"reference_url":"https://github.com/advisories/GHSA-qfc3-hm4j-7q77","reference_id":"GHSA-qfc3-hm4j-7q77","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-qfc3-hm4j-7q77"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-qfc3-hm4j-7q77","reference_id":"GHSA-qfc3-hm4j-7q77","reference_type":"","scores":[{"value":"8.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:07:00Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-qfc3-hm4j-7q77"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33749","GHSA-qfc3-hm4j-7q77"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-f8r2-7ab1-w3d8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80256?format=json","vulnerability_id":"VCID-fuvy-21q8-fyhh","summary":"n8n is an open source workflow automation platform. Prior to versions 2.2.0 and 1.123.8, an authenticated user with permission to create or modify workflows could chain the Read/Write Files from Disk node with git operations to achieve remote code execution. By writing to specific configuration files and then triggering a git operation, the attacker could execute arbitrary shell commands on the n8n host. The issue has been fixed in n8n versions 2.2.0 and 1.123.8. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Read/Write Files from Disk node by adding `n8n-nodes-base.readWriteFile` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27498","reference_id":"","reference_type":"","scores":[{"value":"0.00594","scoring_system":"epss","scoring_elements":"0.69759","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27498"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/97365caf253978ba8e46d7bc53fa7ac3b6f67b32","reference_id":"97365caf253978ba8e46d7bc53fa7ac3b6f67b32","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/"}],"url":"https://github.com/n8n-io/n8n/commit/97365caf253978ba8e46d7bc53fa7ac3b6f67b32"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27498","reference_id":"CVE-2026-27498","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27498"},{"reference_url":"https://github.com/n8n-io/n8n/commit/e22acaab3dcb2004e5fe0bf9ef2db975bde61866","reference_id":"e22acaab3dcb2004e5fe0bf9ef2db975bde61866","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/"}],"url":"https://github.com/n8n-io/n8n/commit/e22acaab3dcb2004e5fe0bf9ef2db975bde61866"},{"reference_url":"https://github.com/advisories/GHSA-x2mw-7j39-93xq","reference_id":"GHSA-x2mw-7j39-93xq","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x2mw-7j39-93xq"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-x2mw-7j39-93xq","reference_id":"GHSA-x2mw-7j39-93xq","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-x2mw-7j39-93xq"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.8","reference_id":"n8n@1.123.8","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.8"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.2.0","reference_id":"n8n@2.2.0","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:20:10Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.2.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39887?format=json","purl":"pkg:npm/n8n@1.123.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.8"},{"url":"http://public2.vulnerablecode.io/api/packages/37601?format=json","purl":"pkg:npm/n8n@2.2.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.2.0"}],"aliases":["CVE-2026-27498","GHSA-x2mw-7j39-93xq"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fuvy-21q8-fyhh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80123?format=json","vulnerability_id":"VCID-g3sy-n7qb-kqat","summary":"n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, a second-order expression injection vulnerability existed in n8n's Form nodes that could allow an unauthenticated attacker to inject and evaluate arbitrary n8n expressions by submitting crafted form data. When chained with an expression sandbox escape, this could escalate to remote code execution on the n8n host. The vulnerability requires a specific workflow configuration to be exploitable. First, a form node with a field interpolating a value provided by an unauthenticated user, e.g. a form submitted value. Second, the field value must begin with an `=` character, which caused n8n to treat it as an expression and triggered a double-evaluation of the field content. There is no practical reason for a workflow designer to prefix a field with `=` intentionally — the character is not rendered in the output, so the result would not match the designer's expectations. If added accidentally, it would be noticeable and very unlikely to persist. An unauthenticated attacker would need to either know about this specific circumstance on a target instance or discover a matching form by chance. Even when the preconditions are met, the expression injection alone is limited to data accessible within the n8n expression context. Escalation to remote code execution requires chaining with a separate sandbox escape vulnerability. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Review usage of form nodes manually for above mentioned preconditions, disable the Form node by adding `n8n-nodes-base.form` to the `NODES_EXCLUDE` environment variable, and/or disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27493","reference_id":"","reference_type":"","scores":[{"value":"0.00266","scoring_system":"epss","scoring_elements":"0.50406","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27493"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/issues/19","reference_id":"19","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/issues/19"},{"reference_url":"https://github.com/n8n-io/n8n/commit/562d867483e871b0f1e31776252e23bd721df75b","reference_id":"562d867483e871b0f1e31776252e23bd721df75b","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/commit/562d867483e871b0f1e31776252e23bd721df75b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27493","reference_id":"CVE-2026-27493","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27493"},{"reference_url":"https://github.com/advisories/GHSA-75g8-rv7v-32f7","reference_id":"GHSA-75g8-rv7v-32f7","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-75g8-rv7v-32f7"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-75g8-rv7v-32f7","reference_id":"GHSA-75g8-rv7v-32f7","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-75g8-rv7v-32f7"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22","reference_id":"n8n@1.123.22","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1","reference_id":"n8n@2.10.1","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3","reference_id":"n8n@2.9.3","reference_type":"","scores":[{"value":"9.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.5","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:27:11Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27493","GHSA-75g8-rv7v-32f7"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-g3sy-n7qb-kqat"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70447?format=json","vulnerability_id":"VCID-krxn-r6bc-cffu","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the MCP OAuth client registration endpoint accepted unauthenticated requests and stored client data without adequate resource controls. An unauthenticated remote attacker could exhaust server memory resources by sending large registration payloads, rendering the n8n instance unavailable. The MCP enable/disable toggle gates MCP access but did not restrict client registrations, meaning the endpoint is reachable regardless of whether MCP access is enabled on the instance. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42236","reference_id":"","reference_type":"","scores":[{"value":"0.00165","scoring_system":"epss","scoring_elements":"0.37306","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42236"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42236","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42236"},{"reference_url":"https://github.com/advisories/GHSA-49m9-pgww-9vq6","reference_id":"GHSA-49m9-pgww-9vq6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-49m9-pgww-9vq6"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-49m9-pgww-9vq6","reference_id":"GHSA-49m9-pgww-9vq6","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:59:10Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-49m9-pgww-9vq6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42236","GHSA-49m9-pgww-9vq6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-krxn-r6bc-cffu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65748?format=json","vulnerability_id":"VCID-ktyh-c1au-6yc7","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25055","reference_id":"","reference_type":"","scores":[{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39362","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25055"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/528ad6b982d0519ec170e172f57b7fdbbe175230","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/528ad6b982d0519ec170e172f57b7fdbbe175230"},{"reference_url":"https://github.com/n8n-io/n8n/commit/e0baf48c6a54808f6dbca8cb352bfa306092c223","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/e0baf48c6a54808f6dbca8cb352bfa306092c223"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25055","reference_id":"CVE-2026-25055","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25055"},{"reference_url":"https://github.com/advisories/GHSA-m82q-59gv-mcr9","reference_id":"GHSA-m82q-59gv-mcr9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-m82q-59gv-mcr9"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9","reference_id":"GHSA-m82q-59gv-mcr9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-05T14:20:20Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38757?format=json","purl":"pkg:npm/n8n@1.123.12","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.12"},{"url":"http://public2.vulnerablecode.io/api/packages/38755?format=json","purl":"pkg:npm/n8n@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0"}],"aliases":["CVE-2026-25055","GHSA-m82q-59gv-mcr9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ktyh-c1au-6yc7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/102286?format=json","vulnerability_id":"VCID-kw94-d9qx-3qf9","summary":"n8n is an open source workflow automation platform. Prior to 1.113.0, a remote code execution vulnerability exists in the Git Node component available in both Cloud and Self-Hosted versions of n8n. When a malicious actor clones a remote repository containing a pre-commit hook, the subsequent use of the Commit operation in the Git Node can inadvertently trigger the hook’s execution. This allows attackers to execute arbitrary code within the n8n environment, potentially compromising the system and any connected credentials or workflows. This vulnerability is fixed in 1.113.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62726","reference_id":"","reference_type":"","scores":[{"value":"0.0022","scoring_system":"epss","scoring_elements":"0.44785","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-62726"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/pull/19559","reference_id":"19559","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-31T18:19:00Z/"}],"url":"https://github.com/n8n-io/n8n/pull/19559"},{"reference_url":"https://github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997","reference_id":"5bf3db5ba84d3195bbe11bbd3c62f7086e090997","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-31T18:19:00Z/"}],"url":"https://github.com/n8n-io/n8n/commit/5bf3db5ba84d3195bbe11bbd3c62f7086e090997"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62726","reference_id":"CVE-2025-62726","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-62726"},{"reference_url":"https://github.com/advisories/GHSA-xgp7-7qjq-vg47","reference_id":"GHSA-xgp7-7qjq-vg47","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xgp7-7qjq-vg47"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47","reference_id":"GHSA-xgp7-7qjq-vg47","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-31T18:19:00Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-xgp7-7qjq-vg47"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34928?format=json","purl":"pkg:npm/n8n@1.113.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.113.0"}],"aliases":["CVE-2025-62726","GHSA-xgp7-7qjq-vg47"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kw94-d9qx-3qf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/127969?format=json","vulnerability_id":"VCID-nh3d-mzxr-j7dy","summary":"n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced in version 1.103.0. This behavior can enable a malicious actor with workflow creation permissions to execute arbitrary JavaScript in the context of the n8n editor interface. This issue has been patched in version 1.114.0. Workarounds for this issue involve restricting workflow creation and modification privileges to trusted users only, avoiding use of untrusted HTML responses in the “Respond to Webhook” node, and using an external reverse proxy or HTML sanitizer to filter responses that include executable scripts.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61914","reference_id":"","reference_type":"","scores":[{"value":"8e-05","scoring_system":"epss","scoring_elements":"0.00703","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61914"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61914","reference_id":"CVE-2025-61914","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61914"},{"reference_url":"https://github.com/advisories/GHSA-58jc-rcg5-95f3","reference_id":"GHSA-58jc-rcg5-95f3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-58jc-rcg5-95f3"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-58jc-rcg5-95f3","reference_id":"GHSA-58jc-rcg5-95f3","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-26T21:54:28Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-58jc-rcg5-95f3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36368?format=json","purl":"pkg:npm/n8n@1.114.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.114.0"}],"aliases":["CVE-2025-61914","GHSA-58jc-rcg5-95f3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nh3d-mzxr-j7dy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70296?format=json","vulnerability_id":"VCID-nhbw-hcq1-b3em","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with a valid API key scoped to variable:list could read variables from projects they are not a member of by supplying an arbitrary projectId query parameter to the public API variables endpoint. The handler queried the variables repository directly without enforcing project membership checks, bypassing the authorization-aware service layer used by the internal enterprise controller. If variables were misused to store sensitive information such as credentials or tokens, they should be rotated immediately. This issue only affects licensed enterprise or team deployments with multiple projects and the variables feature enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42227","reference_id":"","reference_type":"","scores":[{"value":"0.00038","scoring_system":"epss","scoring_elements":"0.11812","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42227"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42227","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42227"},{"reference_url":"https://github.com/advisories/GHSA-756q-gq9h-fp22","reference_id":"GHSA-756q-gq9h-fp22","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-756q-gq9h-fp22"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22","reference_id":"GHSA-756q-gq9h-fp22","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T13:08:26Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-756q-gq9h-fp22"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42227","GHSA-756q-gq9h-fp22"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nhbw-hcq1-b3em"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70393?format=json","vulnerability_id":"VCID-nva1-tjfr-ckb5","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state could attach to that execution, receive the pending prompt intended for the legitimate user, and submit arbitrary input to resume or influence downstream workflow behavior. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42228","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25477","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42228"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42228","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42228"},{"reference_url":"https://github.com/advisories/GHSA-f77h-j2v7-g6mw","reference_id":"GHSA-f77h-j2v7-g6mw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f77h-j2v7-g6mw"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f77h-j2v7-g6mw","reference_id":"GHSA-f77h-j2v7-g6mw","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-06T13:47:46Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f77h-j2v7-g6mw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42228","GHSA-f77h-j2v7-g6mw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nva1-tjfr-ckb5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79889?format=json","vulnerability_id":"VCID-p2w8-9t9n-7baw","summary":"n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could exploit a vulnerability in the JavaScript Task Runner sandbox to execute arbitrary code outside the sandbox boundary. On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to limit the blast radius. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27495","reference_id":"","reference_type":"","scores":[{"value":"0.00104","scoring_system":"epss","scoring_elements":"0.27879","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27495"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27495","reference_id":"CVE-2026-27495","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27495"},{"reference_url":"https://github.com/advisories/GHSA-jjpj-p2wh-qf23","reference_id":"GHSA-jjpj-p2wh-qf23","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jjpj-p2wh-qf23"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23","reference_id":"GHSA-jjpj-p2wh-qf23","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jjpj-p2wh-qf23"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22","reference_id":"n8n@1.123.22","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1","reference_id":"n8n@2.10.1","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3","reference_id":"n8n@2.9.3","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3"},{"reference_url":"https://docs.n8n.io/hosting/configuration/task-runners","reference_id":"task-runners","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T20:28:01Z/"}],"url":"https://docs.n8n.io/hosting/configuration/task-runners"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27495","GHSA-jjpj-p2wh-qf23"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-p2w8-9t9n-7baw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79999?format=json","vulnerability_id":"VCID-qrf6-n324-ybbj","summary":"n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could leverage the Merge node's SQL query mode to execute arbitrary code and write arbitrary files on the n8n server. The issues have been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to one of these versions or later to remediate all known vulnerabilities. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only, and/or disable the Merge node by adding `n8n-nodes-base.merge` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27497","reference_id":"","reference_type":"","scores":[{"value":"0.00076","scoring_system":"epss","scoring_elements":"0.22844","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27497"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27497","reference_id":"CVE-2026-27497","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27497"},{"reference_url":"https://github.com/advisories/GHSA-wxx7-mcgf-j869","reference_id":"GHSA-wxx7-mcgf-j869","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wxx7-mcgf-j869"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869","reference_id":"GHSA-wxx7-mcgf-j869","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-wxx7-mcgf-j869"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22","reference_id":"n8n@1.123.22","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1","reference_id":"n8n@2.10.1","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3","reference_id":"n8n@2.9.3","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-26T19:35:17Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27497","GHSA-wxx7-mcgf-j869"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qrf6-n324-ybbj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360046?format=json","vulnerability_id":"VCID-r89t-ywcr-kbev","summary":"n8n has a Stored XSS Vulnerability in its Form Trigger\n## Impact\nAn authenticated user with permission to create or modify workflows could exploit a flaw in the Form Trigger node's CSS sanitization to store a cross-site scripting (XSS) payload. The injected script executes persistently for every visitor of the published form, enabling form submission hijacking and phishing. The existing Content Security Policy prevents direct n8n session cookie theft but does not prevent script execution or form action manipulation.\n\n## Patches\nThe issue has been fixed in n8n versions 2.12.0, 2.11.2, and 1.123.25. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Form Trigger node by adding `n8n-nodes-base.formTrigger` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-q4fm-pjq6-m63g","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-q4fm-pjq6-m63g"},{"reference_url":"https://github.com/advisories/GHSA-q4fm-pjq6-m63g","reference_id":"GHSA-q4fm-pjq6-m63g","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-q4fm-pjq6-m63g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374746?format=json","purl":"pkg:npm/n8n@1.123.25","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.25"},{"url":"http://public2.vulnerablecode.io/api/packages/374745?format=json","purl":"pkg:npm/n8n@2.11.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.11.2"}],"aliases":["GHSA-q4fm-pjq6-m63g"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r89t-ywcr-kbev"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80281?format=json","vulnerability_id":"VCID-ra9y-br8w-k7au","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.22, 2.9.3, and 2.10.1, an authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data from the same Node.js process — including data from prior requests, tasks, secrets, or tokens — resulting in information disclosure of sensitive in-process data. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. In external runner mode, the impact is limited to data within the external runner process. The issue has been fixed in n8n versions 1.123.22, 2.10.1 , and 2.9.3. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, and/or use external runner mode (`N8N_RUNNERS_MODE=external`) to isolate the runner process. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27496","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12722","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27496"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27496","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27496"},{"reference_url":"https://docs.n8n.io/hosting/securing/blocking-nodes","reference_id":"blocking-nodes","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:08:59Z/"}],"url":"https://docs.n8n.io/hosting/securing/blocking-nodes"},{"reference_url":"https://github.com/advisories/GHSA-xvh5-5qg4-x9qp","reference_id":"GHSA-xvh5-5qg4-x9qp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xvh5-5qg4-x9qp"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-xvh5-5qg4-x9qp","reference_id":"GHSA-xvh5-5qg4-x9qp","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:08:59Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-xvh5-5qg4-x9qp"},{"reference_url":"https://docs.n8n.io/hosting/configuration/task-runners","reference_id":"task-runners","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-25T20:08:59Z/"}],"url":"https://docs.n8n.io/hosting/configuration/task-runners"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27496","GHSA-xvh5-5qg4-x9qp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ra9y-br8w-k7au"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70284?format=json","vulnerability_id":"VCID-rq3f-24px-ykfk","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the /mcp-oauth/register endpoint accepted OAuth client registrations without authentication, allowing arbitrary redirect_uri values to be registered. When a user denies the MCP OAuth consent dialog, the handleDeny handler redirects the user to the registered redirect_uri without validation, enabling an open redirect to an attacker-controlled URL. An attacker can craft a phishing link and send it to a victim; if the victim clicks \"Deny\" on the consent page, they are silently redirected to an external site. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42230","reference_id":"","reference_type":"","scores":[{"value":"0.00056","scoring_system":"epss","scoring_elements":"0.17771","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42230"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42230","reference_id":"","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42230"},{"reference_url":"https://github.com/advisories/GHSA-f6x8-65q6-j9m9","reference_id":"GHSA-f6x8-65q6-j9m9","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-f6x8-65q6-j9m9"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f6x8-65q6-j9m9","reference_id":"GHSA-f6x8-65q6-j9m9","reference_type":"","scores":[{"value":"4.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:55:49Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f6x8-65q6-j9m9"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42230","GHSA-f6x8-65q6-j9m9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rq3f-24px-ykfk"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65944?format=json","vulnerability_id":"VCID-s86a-mpj9-dfhg","summary":"n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node's SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server's filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25056","reference_id":"","reference_type":"","scores":[{"value":"0.00225","scoring_system":"epss","scoring_elements":"0.45364","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25056"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25056","reference_id":"CVE-2026-25056","reference_type":"","scores":[{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25056"},{"reference_url":"https://github.com/advisories/GHSA-hv53-3329-vmrm","reference_id":"GHSA-hv53-3329-vmrm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hv53-3329-vmrm"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm","reference_id":"GHSA-hv53-3329-vmrm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:17Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38758?format=json","purl":"pkg:npm/n8n@1.118.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.118.0"},{"url":"http://public2.vulnerablecode.io/api/packages/38755?format=json","purl":"pkg:npm/n8n@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0"}],"aliases":["CVE-2026-25056","GHSA-hv53-3329-vmrm"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s86a-mpj9-dfhg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212671?format=json","vulnerability_id":"VCID-s8p4-nts1-2fh2","summary":"n8n has an SSO Enforcement Bypass in its Self-Service Settings API","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/a70b2ea379086da3de103bb84811e88cadf29976","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/a70b2ea379086da3de103bb84811e88cadf29976"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.8.0","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N"},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.8.0"},{"reference_url":"https://github.com/advisories/GHSA-vjf3-2gpj-233v","reference_id":"GHSA-vjf3-2gpj-233v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vjf3-2gpj-233v"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vjf3-2gpj-233v","reference_id":"GHSA-vjf3-2gpj-233v","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-vjf3-2gpj-233v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39942?format=json","purl":"pkg:npm/n8n@2.8.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.8.0"}],"aliases":["GHSA-vjf3-2gpj-233v"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-s8p4-nts1-2fh2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97986?format=json","vulnerability_id":"VCID-ssr2-5x7e-9uf7","summary":"n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query parameter. This may lead to phishing attacks by impersonating the n8n UI on lookalike domains (e.g., n8n.local.evil.com), credential or 2FA theft if users are tricked into re-entering sensitive information, and/or reputation risk due to the visual similarity between attacker-controlled domains and trusted ones. The vulnerability affects anyone hosting n8n and exposing the `/signin` endpoint to users. The issue has been patched in version 1.98.0. All users should upgrade to this version or later. The fix introduces strict origin validation for redirect URLs, ensuring only same-origin or relative paths are allowed after login.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49592","reference_id":"","reference_type":"","scores":[{"value":"0.00179","scoring_system":"epss","scoring_elements":"0.39294","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-49592"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49592","reference_id":"","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49592"},{"reference_url":"https://github.com/n8n-io/n8n/pull/16034","reference_id":"16034","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/"}],"url":"https://github.com/n8n-io/n8n/pull/16034"},{"reference_url":"https://github.com/n8n-io/n8n/commit/4865d1e360a0fe7b045e295b5e1a29daad12314e","reference_id":"4865d1e360a0fe7b045e295b5e1a29daad12314e","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/"}],"url":"https://github.com/n8n-io/n8n/commit/4865d1e360a0fe7b045e295b5e1a29daad12314e"},{"reference_url":"https://github.com/advisories/GHSA-5vj6-wjr7-5v9f","reference_id":"GHSA-5vj6-wjr7-5v9f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-5vj6-wjr7-5v9f"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-5vj6-wjr7-5v9f","reference_id":"GHSA-5vj6-wjr7-5v9f","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-5vj6-wjr7-5v9f"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0","reference_id":"n8n%401.98.0","reference_type":"","scores":[{"value":"4.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-06-26T19:56:57Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.98.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378583?format=json","purl":"pkg:npm/n8n@1.98.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-727u-nmx9-xuf3"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-et9c-dh4q-3qcy"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-fy3d-ykem-3fgr"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-kw94-d9qx-3qf9"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-vht4-48cx-c7gu"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"},{"vulnerability":"VCID-xsuv-1w6k-akeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.98.0"}],"aliases":["CVE-2025-49592","GHSA-5vj6-wjr7-5v9f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ssr2-5x7e-9uf7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212287?format=json","vulnerability_id":"VCID-st8g-2xn4-97b9","summary":"n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/advisories/GHSA-365g-vjw2-grx8","reference_id":"GHSA-365g-vjw2-grx8","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-365g-vjw2-grx8"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-365g-vjw2-grx8","reference_id":"GHSA-365g-vjw2-grx8","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-365g-vjw2-grx8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/863927?format=json","purl":"pkg:npm/n8n@1.115.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.115.0"}],"aliases":["GHSA-365g-vjw2-grx8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-st8g-2xn4-97b9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70188?format=json","vulnerability_id":"VCID-su1t-s9q1-h7am","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the SeaTable node's row:search and row:get operations allowed user-controlled input to be concatenated directly into SQL query strings without escaping or parameterization. In workflows where external user input is passed via expressions into the SeaTable node's search or row retrieval parameters, an attacker could manipulate the constructed query to retrieve unintended rows from the connected SeaTable base, bypassing row-level filtering logic implemented in the workflow. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42229","reference_id":"","reference_type":"","scores":[{"value":"0.00063","scoring_system":"epss","scoring_elements":"0.19896","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42229"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42229","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42229"},{"reference_url":"https://github.com/advisories/GHSA-mp4j-h6gh-f6mp","reference_id":"GHSA-mp4j-h6gh-f6mp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mp4j-h6gh-f6mp"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp","reference_id":"GHSA-mp4j-h6gh-f6mp","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-05T15:00:08Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mp4j-h6gh-f6mp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42229","GHSA-mp4j-h6gh-f6mp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-su1t-s9q1-h7am"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360180?format=json","vulnerability_id":"VCID-ty34-7aqe-27gv","summary":"n8n has XSS in Chat Trigger Node through Custom CSS\n## Impact\nAn authenticated user with permission to create or modify workflows could inject malicious JavaScript into the Custom CSS field of the Chat Trigger node. Due to a misconfiguration in the `sanitize-html` library, the sanitization could be bypassed, resulting in stored XSS on the public chat page. Any user visiting the chat URL would be affected.\n\n## Patches\nThe issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability.\n\n## Workarounds\nIf upgrading is not immediately possible, administrators should consider the following temporary mitigations:\n- Limit workflow creation and editing permissions to fully trusted users only.\n- Disable the Chat Trigger node by adding `@n8n/n8n-nodes-langchain.chatTrigger` to the `NODES_EXCLUDE` environment variable.\n\nThese workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-3c7f-5hgj-h279","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-3c7f-5hgj-h279"},{"reference_url":"https://github.com/advisories/GHSA-3c7f-5hgj-h279","reference_id":"GHSA-3c7f-5hgj-h279","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-3c7f-5hgj-h279"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374800?format=json","purl":"pkg:npm/n8n@1.123.27","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.27"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["GHSA-3c7f-5hgj-h279"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ty34-7aqe-27gv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/79873?format=json","vulnerability_id":"VCID-ubn7-w3vz-hqgb","summary":"n8n is an open source workflow automation platform. Prior to versions 2.10.1, 2.9.3, and 1.123.22, an authenticated user with permission to create or modify workflows could use the Python Code node to escape the sandbox. The sandbox did not sufficiently restrict access to certain built-in Python objects, allowing an attacker to exfiltrate file contents or achieve RCE. On instances using internal Task Runners (default runner mode), this could result in full compromise of the n8n host. On instances using external Task Runners, the attacker might gain access to or impact other task executed on the Task Runner. Task Runners must be enabled using `N8N_RUNNERS_ENABLED=true`. The issue has been fixed in n8n versions 2.10.1, 2.9.3, and 1.123.22. Users should upgrade to this version or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations. Limit workflow creation and editing permissions to fully trusted users only., and/or disable the Code node by adding `n8n-nodes-base.code` to the `NODES_EXCLUDE` environment variable. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27494","reference_id":"","reference_type":"","scores":[{"value":"0.0009","scoring_system":"epss","scoring_elements":"0.25578","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27494"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27494","reference_id":"CVE-2026-27494","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27494"},{"reference_url":"https://github.com/advisories/GHSA-mmgg-m5j7-f83h","reference_id":"GHSA-mmgg-m5j7-f83h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mmgg-m5j7-f83h"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mmgg-m5j7-f83h","reference_id":"GHSA-mmgg-m5j7-f83h","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mmgg-m5j7-f83h"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22","reference_id":"n8n@1.123.22","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@1.123.22"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1","reference_id":"n8n@2.10.1","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.10.1"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3","reference_id":"n8n@2.9.3","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-26T20:28:47Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n@2.9.3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39886?format=json","purl":"pkg:npm/n8n@1.123.22","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.22"},{"url":"http://public2.vulnerablecode.io/api/packages/902621?format=json","purl":"pkg:npm/n8n@2.0.0-rc.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.0.0-rc.0"},{"url":"http://public2.vulnerablecode.io/api/packages/39885?format=json","purl":"pkg:npm/n8n@2.9.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.9.3"},{"url":"http://public2.vulnerablecode.io/api/packages/39884?format=json","purl":"pkg:npm/n8n@2.10.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.10.1"}],"aliases":["CVE-2026-27494","GHSA-mmgg-m5j7-f83h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ubn7-w3vz-hqgb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78017?format=json","vulnerability_id":"VCID-umut-3bp5-y3eq","summary":"n8n is an open source workflow automation platform. Prior to versions 2.14.1, 2.13.3, and 1.123.26, an authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion. The issue has been fixed in n8n versions 1.123.26, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the Data Table node by adding `n8n-nodes-base.dataTable` to the `NODES_EXCLUDE` environment variable, and/or review existing workflows for Data Table Get nodes where `orderByColumn` is set to an expression that incorporates external or user-supplied input. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33713","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06746","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33713"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33713","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33713"},{"reference_url":"https://github.com/advisories/GHSA-98c2-4cr3-4jc3","reference_id":"GHSA-98c2-4cr3-4jc3","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-98c2-4cr3-4jc3"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3","reference_id":"GHSA-98c2-4cr3-4jc3","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"8.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-25T17:58:32Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-98c2-4cr3-4jc3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374757?format=json","purl":"pkg:npm/n8n@1.123.26","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.26"},{"url":"http://public2.vulnerablecode.io/api/packages/374760?format=json","purl":"pkg:npm/n8n@2.13.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.13.3"},{"url":"http://public2.vulnerablecode.io/api/packages/374759?format=json","purl":"pkg:npm/n8n@2.14.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-su1t-s9q1-h7am"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.14.1"}],"aliases":["CVE-2026-33713","GHSA-98c2-4cr3-4jc3"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-umut-3bp5-y3eq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70587?format=json","vulnerability_id":"VCID-v4ft-nvxq-cyhy","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.33 and 2.17.5, the dynamic-node-parameters endpoints did not verify whether the authenticated caller was authorized to use a supplied credential reference. An authenticated user with access to a shared workflow could supply a foreign credential ID in the request body, causing the backend to decrypt and use that credential in a helper execution path where the caller also controls the destination URL. This allowed the caller to force the backend to authenticate against attacker-controlled infrastructure using a credential belonging to another user, effectively exfiltrating a reusable API key. The issue is not limited to any single node type; any node that resolves credentials dynamically through these endpoints may be affected. This issue has been patched in versions 1.123.33, 2.17.5, and 2.18.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42226","reference_id":"","reference_type":"","scores":[{"value":"0.00064","scoring_system":"epss","scoring_elements":"0.20183","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42226"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:L/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42226","reference_id":"","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:L/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42226"},{"reference_url":"https://github.com/advisories/GHSA-r4v6-9fqc-w5jr","reference_id":"GHSA-r4v6-9fqc-w5jr","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-r4v6-9fqc-w5jr"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr","reference_id":"GHSA-r4v6-9fqc-w5jr","reference_type":"","scores":[{"value":"8.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:L/SI:L/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-04T19:41:42Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-r4v6-9fqc-w5jr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373721?format=json","purl":"pkg:npm/n8n@1.123.33","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.33"},{"url":"http://public2.vulnerablecode.io/api/packages/373720?format=json","purl":"pkg:npm/n8n@2.17.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.5"}],"aliases":["CVE-2026-42226","GHSA-r4v6-9fqc-w5jr"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v4ft-nvxq-cyhy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/74537?format=json","vulnerability_id":"VCID-v6z9-pvhr-k7d2","summary":"n8n is an open source workflow automation platform. In versions from 0.150.0 to before 2.2.2, an authentication bypass vulnerability in the Stripe Trigger node allows unauthenticated parties to trigger workflows by sending forged Stripe webhook events. The Stripe Trigger creates and stores a Stripe webhook signing secret when registering the webhook endpoint, but incoming webhook requests were not verified against this secret. As a result, any HTTP client that knows the webhook URL could send a POST request containing a matching event type, causing the workflow to execute as if a legitimate Stripe event had been received. This issue affects n8n users who have active workflows using the Stripe Trigger node. An attacker could potentially fake payment or subscription events and influence downstream workflow behavior. The practical risk is reduced by the fact that the webhook URL contains a high-entropy UUID; however, authenticated n8n users with access to the workflow can view this webhook ID. This issue has been patched in version 2.2.2. A temporary workaround for this issue involves users deactivating affected workflows or restricting access to workflows containing Stripe Trigger nodes to trusted users only.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21894","reference_id":"","reference_type":"","scores":[{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.0662","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-21894"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/pull/22764","reference_id":"22764","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:42:25Z/"}],"url":"https://github.com/n8n-io/n8n/pull/22764"},{"reference_url":"https://github.com/n8n-io/n8n/commit/a61a5991093c41863506888336e808ac1eff8d59","reference_id":"a61a5991093c41863506888336e808ac1eff8d59","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:42:25Z/"}],"url":"https://github.com/n8n-io/n8n/commit/a61a5991093c41863506888336e808ac1eff8d59"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21894","reference_id":"CVE-2026-21894","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-21894"},{"reference_url":"https://github.com/advisories/GHSA-jf52-3f2h-h9j5","reference_id":"GHSA-jf52-3f2h-h9j5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jf52-3f2h-h9j5"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jf52-3f2h-h9j5","reference_id":"GHSA-jf52-3f2h-h9j5","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-08T14:42:25Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-jf52-3f2h-h9j5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36597?format=json","purl":"pkg:npm/n8n@2.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.2.2"}],"aliases":["CVE-2026-21894","GHSA-jf52-3f2h-h9j5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v6z9-pvhr-k7d2"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/105067?format=json","vulnerability_id":"VCID-vht4-48cx-c7gu","summary":"n8n is a workflow automation platform. Prior to version 1.99.1, an authorization vulnerability was discovered in the /rest/executions/:id/stop endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading to potential business disruption. This issue has been patched in version 1.99.1. A workaround involves restricting access to the /rest/executions/:id/stop endpoint via reverse proxy or API gateway.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-52554","reference_id":"","reference_type":"","scores":[{"value":"0.00327","scoring_system":"epss","scoring_elements":"0.56059","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-52554"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-52554","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-52554"},{"reference_url":"https://github.com/n8n-io/n8n/pull/16405","reference_id":"16405","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/"}],"url":"https://github.com/n8n-io/n8n/pull/16405"},{"reference_url":"https://github.com/dudanogueira/n8n/commit/ca2f90c7fbaa1d661ade2f45d587d9469bc287e1","reference_id":"ca2f90c7fbaa1d661ade2f45d587d9469bc287e1","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/"}],"url":"https://github.com/dudanogueira/n8n/commit/ca2f90c7fbaa1d661ade2f45d587d9469bc287e1"},{"reference_url":"https://github.com/n8n-io/n8n/commit/e5edc60e344924230baafb11fa1f0af788e9ca9a","reference_id":"e5edc60e344924230baafb11fa1f0af788e9ca9a","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/"}],"url":"https://github.com/n8n-io/n8n/commit/e5edc60e344924230baafb11fa1f0af788e9ca9a"},{"reference_url":"https://github.com/advisories/GHSA-gq57-v332-7666","reference_id":"GHSA-gq57-v332-7666","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-gq57-v332-7666"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-gq57-v332-7666","reference_id":"GHSA-gq57-v332-7666","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H"},{"value":"4.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-03T20:18:06Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-gq57-v332-7666"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/378426?format=json","purl":"pkg:npm/n8n@1.99.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-et9c-dh4q-3qcy"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-kw94-d9qx-3qf9"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"},{"vulnerability":"VCID-xsuv-1w6k-akeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.99.1"}],"aliases":["CVE-2025-52554","GHSA-gq57-v332-7666"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vht4-48cx-c7gu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65839?format=json","vulnerability_id":"VCID-wbd6-q158-8khm","summary":"n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. This issue has been patched in version 2.4.8.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25115","reference_id":"","reference_type":"","scores":[{"value":"0.00075","scoring_system":"epss","scoring_elements":"0.2267","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-25115"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/8607d372f78c388bb3691d9d5b52af7259ec7b1f","reference_id":"","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/8607d372f78c388bb3691d9d5b52af7259ec7b1f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25115","reference_id":"CVE-2026-25115","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-25115"},{"reference_url":"https://github.com/advisories/GHSA-8398-gmmx-564h","reference_id":"GHSA-8398-gmmx-564h","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8398-gmmx-564h"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h","reference_id":"GHSA-8398-gmmx-564h","reference_type":"","scores":[{"value":"9.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-05T14:23:16Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38759?format=json","purl":"pkg:npm/n8n@2.4.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.8"}],"aliases":["CVE-2026-25115","GHSA-8398-gmmx-564h"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wbd6-q158-8khm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212665?format=json","vulnerability_id":"VCID-wg96-fujy-33db","summary":"n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/f73fae6fe7fc34907bba102648a9997186aa4385","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/f73fae6fe7fc34907bba102648a9997186aa4385"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n%402.4.0","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n%402.4.0"},{"reference_url":"https://github.com/advisories/GHSA-f3f2-mcxc-pwjx","reference_id":"GHSA-f3f2-mcxc-pwjx","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-f3f2-mcxc-pwjx"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx","reference_id":"GHSA-f3f2-mcxc-pwjx","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-f3f2-mcxc-pwjx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38755?format=json","purl":"pkg:npm/n8n@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0"}],"aliases":["GHSA-f3f2-mcxc-pwjx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wg96-fujy-33db"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70648?format=json","vulnerability_id":"VCID-wte4-73wa-53fx","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container. This issue only affects instances where the Python Task Runner is enabled. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42234","reference_id":"","reference_type":"","scores":[{"value":"0.00095","scoring_system":"epss","scoring_elements":"0.26427","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42234"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42234","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42234"},{"reference_url":"https://github.com/advisories/GHSA-44v6-jhgm-p3m4","reference_id":"GHSA-44v6-jhgm-p3m4","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-44v6-jhgm-p3m4"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-44v6-jhgm-p3m4","reference_id":"GHSA-44v6-jhgm-p3m4","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"7.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T03:56:38Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-44v6-jhgm-p3m4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42234","GHSA-44v6-jhgm-p3m4"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wte4-73wa-53fx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/70634?format=json","vulnerability_id":"VCID-x1jy-nk1c-6uak","summary":"n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, a flaw in the xml2js library used to parse XML request bodies in n8n's webhook handler allowed prototype pollution via a crafted XML payload. An authenticated user with permission to create or modify workflows could exploit this to pollute the JavaScript object prototype and, by chaining the pollution with the Git node's SSH operations, achieve remote code execution on the n8n host. This issue has been patched in versions 1.123.32, 2.17.4, and 2.18.1.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42231","reference_id":"","reference_type":"","scores":[{"value":"0.00471","scoring_system":"epss","scoring_elements":"0.65062","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42231"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42231","reference_id":"","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42231"},{"reference_url":"https://github.com/advisories/GHSA-q5f4-99jv-pgg5","reference_id":"GHSA-q5f4-99jv-pgg5","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-q5f4-99jv-pgg5"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5","reference_id":"GHSA-q5f4-99jv-pgg5","reference_type":"","scores":[{"value":"10.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"value":"10.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"9.4","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2026-05-04T20:17:57Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373286?format=json","purl":"pkg:npm/n8n@1.123.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.32"},{"url":"http://public2.vulnerablecode.io/api/packages/373288?format=json","purl":"pkg:npm/n8n@2.17.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-v4ft-nvxq-cyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.17.4"},{"url":"http://public2.vulnerablecode.io/api/packages/373287?format=json","purl":"pkg:npm/n8n@2.18.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.18.1"}],"aliases":["CVE-2026-42231","GHSA-q5f4-99jv-pgg5"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x1jy-nk1c-6uak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/97058?format=json","vulnerability_id":"VCID-x83e-tmz3-rqd8","summary":"n8n is a workflow automation platform. Prior to version 1.90.0, n8n is vulnerable to stored cross-site scripting (XSS) through the attachments view endpoint. n8n workflows can store and serve binary files, which are accessible to authenticated users. However, there is no restriction on the MIME type of uploaded files, and the MIME type could be controlled via a GET parameter. This allows the server to respond with any MIME type, potentially enabling malicious content to be interpreted and executed by the browser. An authenticated attacker with member-level permissions could exploit this by uploading a crafted HTML file containing malicious JavaScript. When another user visits the binary data endpoint with the MIME type set to text/html, the script executes in the context of the user’s session. This script could send a request to change the user’s email address in their account settings, effectively enabling account takeover. This issue has been patched in version 1.90.0.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46343","reference_id":"","reference_type":"","scores":[{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54525","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-46343"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46343","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-46343"},{"reference_url":"https://github.com/n8n-io/n8n/pull/14350","reference_id":"14350","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/"}],"url":"https://github.com/n8n-io/n8n/pull/14350"},{"reference_url":"https://github.com/n8n-io/n8n/pull/14685","reference_id":"14685","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/"}],"url":"https://github.com/n8n-io/n8n/pull/14685"},{"reference_url":"https://github.com/advisories/GHSA-c8hm-hr8h-5xjw","reference_id":"GHSA-c8hm-hr8h-5xjw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c8hm-hr8h-5xjw"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-c8hm-hr8h-5xjw","reference_id":"GHSA-c8hm-hr8h-5xjw","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-c8hm-hr8h-5xjw"},{"reference_url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.90.0","reference_id":"n8n%401.90.0","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-29T13:34:53Z/"}],"url":"https://github.com/n8n-io/n8n/releases/tag/n8n%401.90.0"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376319?format=json","purl":"pkg:npm/n8n@1.90.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5mhm-99u3-ruec"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-63n8-hy1m-3ke5"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-727u-nmx9-xuf3"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c232-fvfd-3fda"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-d7g4-89n1-y7e7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-et9c-dh4q-3qcy"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-fy3d-ykem-3fgr"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-kw94-d9qx-3qf9"},{"vulnerability":"VCID-nh3d-mzxr-j7dy"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qkka-4nty-sqh1"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s86a-mpj9-dfhg"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-ssr2-5x7e-9uf7"},{"vulnerability":"VCID-st8g-2xn4-97b9"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-vht4-48cx-c7gu"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"},{"vulnerability":"VCID-xnnq-fzcn-7fbg"},{"vulnerability":"VCID-xsuv-1w6k-akeu"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.90.0"}],"aliases":["CVE-2025-46343","GHSA-c8hm-hr8h-5xjw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-x83e-tmz3-rqd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/212666?format=json","vulnerability_id":"VCID-xf7g-p8s2-rqbj","summary":"n8n: Webhook Forgery on Github Webhook Trigger","references":[{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://github.com/n8n-io/n8n/commit/a19347a6bc9a96d5065ac77d25a811e46178c578","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/a19347a6bc9a96d5065ac77d25a811e46178c578"},{"reference_url":"https://github.com/n8n-io/n8n/commit/afe322325502f448b33bff1db1575e4447c28a36","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/commit/afe322325502f448b33bff1db1575e4447c28a36"},{"reference_url":"https://github.com/advisories/GHSA-mqpr-49jj-32rc","reference_id":"GHSA-mqpr-49jj-32rc","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mqpr-49jj-32rc"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc","reference_id":"GHSA-mqpr-49jj-32rc","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-mqpr-49jj-32rc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39918?format=json","purl":"pkg:npm/n8n@1.123.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.123.15"},{"url":"http://public2.vulnerablecode.io/api/packages/38208?format=json","purl":"pkg:npm/n8n@2.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.5.0"}],"aliases":["GHSA-mqpr-49jj-32rc"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xf7g-p8s2-rqbj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/78081?format=json","vulnerability_id":"VCID-xnnq-fzcn-7fbg","summary":"n8n is an open source workflow automation platform. Prior to versions 2.4.0 and 1.121.0, when LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account's email. An authenticated LDAP user who could control their own LDAP email attribute could set it to match another user's email — including an administrator's — and upon login gain full access to that account. The account linkage persisted even if the LDAP email was later reverted, resulting in a permanent account takeover. LDAP authentication must be configured and active (non-default). The issue has been fixed in n8n versions 2.4.0 and 1.121.0. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Disable LDAP authentication until the instance can be upgraded, restrict LDAP directory permissions so that users cannot modify their own email attributes, and/or audit existing LDAP-linked accounts for unexpected account associations. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33665","reference_id":"","reference_type":"","scores":[{"value":"0.0003","scoring_system":"epss","scoring_elements":"0.09122","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-33665"},{"reference_url":"https://github.com/n8n-io/n8n","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/n8n-io/n8n"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33665","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33665"},{"reference_url":"https://github.com/advisories/GHSA-c545-x2rh-82fc","reference_id":"GHSA-c545-x2rh-82fc","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c545-x2rh-82fc"},{"reference_url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc","reference_id":"GHSA-c545-x2rh-82fc","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N"},{"value":"8.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-03-27T14:55:43Z/"}],"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-c545-x2rh-82fc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/36331?format=json","purl":"pkg:npm/n8n@1.121.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-39dw-4b5k-1bae"},{"vulnerability":"VCID-3p4c-nkcn-hkey"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-4crt-c14t-53dq"},{"vulnerability":"VCID-5c7w-mba9-mucn"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-5pjr-smm2-pyav"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-b5ba-g4u9-jkgx"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cy8m-aw8f-zkfx"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-e1c6-5sck-8bas"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-fuvy-21q8-fyhh"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-h9zv-wu1v-83ft"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-ktyh-c1au-6yc7"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-v4ft-nvxq-cyhy"},{"vulnerability":"VCID-v6z9-pvhr-k7d2"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-wg96-fujy-33db"},{"vulnerability":"VCID-wte4-73wa-53fx"},{"vulnerability":"VCID-x1jy-nk1c-6uak"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.121.0"},{"url":"http://public2.vulnerablecode.io/api/packages/38755?format=json","purl":"pkg:npm/n8n@2.4.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-17dc-5ubt-g3e1"},{"vulnerability":"VCID-18zg-q45k-d3f3"},{"vulnerability":"VCID-1rt1-y3w9-skc7"},{"vulnerability":"VCID-2kxv-vwc7-3ubf"},{"vulnerability":"VCID-456j-q8xt-57e3"},{"vulnerability":"VCID-5fsf-m3s8-pfg2"},{"vulnerability":"VCID-6pzv-3t6r-akeq"},{"vulnerability":"VCID-6xm5-7kq2-xqdm"},{"vulnerability":"VCID-78yr-xz2p-rkff"},{"vulnerability":"VCID-95f5-4xkw-yuae"},{"vulnerability":"VCID-9bcs-wgnz-m3e8"},{"vulnerability":"VCID-c4s3-zx71-c7h3"},{"vulnerability":"VCID-camv-m2tf-qkac"},{"vulnerability":"VCID-cxss-9g41-gfb7"},{"vulnerability":"VCID-cyxm-4jde-myc1"},{"vulnerability":"VCID-d1rq-nmws-w3fy"},{"vulnerability":"VCID-d5bn-f87r-vka1"},{"vulnerability":"VCID-d5s2-xbfd-ukg7"},{"vulnerability":"VCID-d763-b5fk-g3dm"},{"vulnerability":"VCID-dm6y-ymh9-u3cm"},{"vulnerability":"VCID-f8r2-7ab1-w3d8"},{"vulnerability":"VCID-g3sy-n7qb-kqat"},{"vulnerability":"VCID-krxn-r6bc-cffu"},{"vulnerability":"VCID-nhbw-hcq1-b3em"},{"vulnerability":"VCID-nva1-tjfr-ckb5"},{"vulnerability":"VCID-p2w8-9t9n-7baw"},{"vulnerability":"VCID-qrf6-n324-ybbj"},{"vulnerability":"VCID-r89t-ywcr-kbev"},{"vulnerability":"VCID-ra9y-br8w-k7au"},{"vulnerability":"VCID-rq3f-24px-ykfk"},{"vulnerability":"VCID-s8p4-nts1-2fh2"},{"vulnerability":"VCID-su1t-s9q1-h7am"},{"vulnerability":"VCID-ty34-7aqe-27gv"},{"vulnerability":"VCID-ubn7-w3vz-hqgb"},{"vulnerability":"VCID-umut-3bp5-y3eq"},{"vulnerability":"VCID-wbd6-q158-8khm"},{"vulnerability":"VCID-xf7g-p8s2-rqbj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@2.4.0"}],"aliases":["CVE-2026-33665","GHSA-c545-x2rh-82fc"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xnnq-fzcn-7fbg"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/n8n@1.0.5"}