MEDIUM 5.4 npm
GHSA-2p9h-rqjw-gm92 · CVE-2026-27578 n8n Vulnerable to Stored XSS via Various Nodes
Modified: 2/28/2026
package
npm / n8n
pkg:npm/n8n
MEDIUM 5.4 npm
GHSA-2vff-hj5x-8gq7 · CVE-2026-54306 n8n: Prototype Pollution enables confused-deputy execution via public webhooks
Modified: 6/16/2026
MEDIUM 6.4 npm
GHSA-2vx9-7wpg-88jq n8n: Legacy ExecuteWorkflow Node Bypassed File Path Restrictions
Modified: 5/19/2026
MEDIUM npm
GHSA-2xcx-75h9-vr9h · CVE-2026-25631 n8n's domain allowlist bypass enables credential exfiltration
Modified: 2/19/2026
MEDIUM 5.4 npm
GHSA-364x-8g5j-x2pr n8n has XSS in its Credential Management Flow
Modified: 3/27/2026
HIGH 8.8 npm
GHSA-365g-vjw2-grx8 n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
Modified: 10/9/2025
CRITICAL 9.1 npm
GHSA-3875-8gcx-7v46 n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass
Modified: 5/19/2026
MEDIUM 4.0 npm
GHSA-38c7-23hj-2wgq n8n has Webhook Forgery on Zendesk Trigger Node
Modified: 2/26/2026
MEDIUM 5.4 npm
GHSA-3c7f-5hgj-h279 n8n has XSS in Chat Trigger Node through Custom CSS
Modified: 4/3/2026
MEDIUM 5.4 npm
GHSA-43v7-fp2v-68f6 · CVE-2026-33724 n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no
Modified: 3/25/2026
HIGH 7.5 npm
GHSA-44v6-jhgm-p3m4 · CVE-2026-42234 n8n has a Python Task Runner Sandbox Escape Vulnerability
Modified: 5/8/2026
HIGH 7.5 npm
GHSA-49m9-pgww-9vq6 · CVE-2026-42236 n8n Vulnerable to Unauthenticated Denial of Service via MCP Client Registration
Modified: 5/8/2026
HIGH 7.7 npm
GHSA-49mx-fj45-q3p6 · CVE-2025-61917 n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner
Modified: 2/4/2026
HIGH 8.2 npm
GHSA-537j-gqpc-p7fq · CVE-2026-42235 n8n Vulnerable to XSS via MCP OAuth client
Modified: 5/8/2026
CRITICAL npm
GHSA-57g9-58c2-xjg3 · CVE-2026-44790 n8n Has an Arbitrary File Read via Git Node
Modified: 5/14/2026
HIGH 7.3 npm
GHSA-58jc-rcg5-95f3 · CVE-2025-61914 n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox
Modified: 12/27/2025
CRITICAL 9.9 npm
GHSA-58qr-rcgv-642v · CVE-2026-33660 n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode
Modified: 4/12/2026
MEDIUM 4.6 npm
GHSA-5vj6-wjr7-5v9f · CVE-2025-49592 n8n allows open redirects via the /signin endpoint
Modified: 6/27/2025
HIGH 7.7 npm
GHSA-5xp3-2w67-427v · CVE-2026-49465 n8n: Git Node Clone and Push Operations Bypass File Sandbox
Modified: 6/16/2026
CRITICAL 9.9 npm
GHSA-5xrp-6693-jjx9 · CVE-2026-1470 n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution
Modified: 2/3/2026
CRITICAL 9.9 npm
GHSA-62r4-hw23-cc8v · CVE-2025-68668 n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node
Modified: 2/3/2026
CRITICAL npm
GHSA-6cqr-8cfr-67f8 · CVE-2026-25049 n8n Has Expression Escape Vulnerability Leading to RCE
Modified: 2/4/2026
HIGH npm
GHSA-6h4j-wcr9-2vg7 · CVE-2026-45732 n8n Has a Cross-user Authorization Bypass in Dynamic Credential OAuth Endpoints
Modified: 5/14/2026
HIGH 7.7 npm
GHSA-756q-gq9h-fp22 · CVE-2026-42227 n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure
Modified: 5/8/2026
CRITICAL 9.0 npm
GHSA-75g8-rv7v-32f7 · CVE-2026-27493 n8n has Unauthenticated Expression Evaluation via Form Node
Modified: 2/28/2026
CRITICAL npm
GHSA-7c4h-vh2m-743m · CVE-2026-21893 n8n Vulnerable to Command Injection in Community Package Installation
Modified: 2/4/2026
HIGH npm
GHSA-825q-w924-xhgx · CVE-2026-25051 n8n's Improper CSP Enforcement in Webhook Responses May Allow Stored XSS
Modified: 2/4/2026
CRITICAL 9.9 npm
GHSA-8398-gmmx-564h · CVE-2026-25115 n8n has a Python sandbox escape
Modified: 3/25/2026
HIGH 8.8 npm
GHSA-97cp-mr4m-9mcf · CVE-2023-27563 n8n Privilege Escalation vulnerability
Modified: 11/8/2023
CRITICAL 9.9 npm
GHSA-98c2-4cr3-4jc3 · CVE-2026-33713 n8n has SQL Injection in Data Table Node via orderByColumn Expression
Modified: 3/26/2026
MEDIUM 6.3 npm
GHSA-9c38-2mcm-q7f7 · CVE-2026-54311 n8n: Merge Node SQL Mode Prototype Pollution
Modified: 6/16/2026
CRITICAL npm
GHSA-9g95-qf3f-ggrw · CVE-2026-25053 n8n has OS Command Injection in Git Node
Modified: 2/4/2026
HIGH 8.5 npm
GHSA-9pq8-m8gp-4p53 · CVE-2026-49444 n8n: Python sandbox escape
Modified: 6/16/2026
CRITICAL 9.9 npm
GHSA-c37g-w77q-m4vp · CVE-2026-54310 n8n: SQL Injection in Postgres v1/TimesclaeDB Nodes
Modified: 6/16/2026
HIGH 8.2 npm
GHSA-c545-x2rh-82fc · CVE-2026-33665 n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover
Modified: 3/25/2026
MEDIUM 5.0 npm
GHSA-c8hm-hr8h-5xjw · CVE-2025-46343 n8n Vulnerable to Stored XSS through Attachments View Endpoint
Modified: 4/29/2025
CRITICAL npm
GHSA-c8xv-5998-g76h · CVE-2026-44789 n8n: HTTP Request Node Pagination Prototype Pollution to RCE
Modified: 5/14/2026
HIGH 8.2 npm
GHSA-f3f2-mcxc-pwjx n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes
Modified: 2/26/2026
MEDIUM 4.7 npm
GHSA-f6x8-65q6-j9m9 · CVE-2026-42230 n8n has Open Redirect in MCP OAuth Consent Flow
Modified: 5/8/2026
MEDIUM 5.4 npm
GHSA-f77h-j2v7-g6mw · CVE-2026-42228 n8n Vulnerable to Hijacking of Unauthenticated Chat Execution
Modified: 5/8/2026
LOW 3.7 npm
GHSA-fvfv-ppw4-7h2w n8n has a Guardrail Node Bypass
Modified: 2/26/2026
MEDIUM 6.3 npm
GHSA-fxcw-h3qj-8m8p · CVE-2026-33722 n8n Has External Secrets Authorization Bypass in Credential Saving
Modified: 3/25/2026
CRITICAL npm
GHSA-gfvg-qv54-r4pc · CVE-2026-25052 n8n's Improper File Access Controls Allow Arbitrary File Read by Authenticated Users
Modified: 2/5/2026
MEDIUM 6.5 npm
GHSA-ggjm-f3g4-rwmm · CVE-2025-57749 n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files
Modified: 8/21/2025
MEDIUM 4.3 npm
GHSA-gq57-v332-7666 · CVE-2025-52554 n8n is vulnerable to Improper Authorization through its `/stop` endpoint
Modified: 7/3/2025
HIGH 8.7 npm
GHSA-hfmv-hhh3-43f2 · CVE-2025-52478 Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source
Modified: 8/19/2025
HIGH 8.2 npm
GHSA-hp3c-vfpm-q4f7 · CVE-2026-42237 n8n has SQL Injection in Snowflake and MySQL Nodes
Modified: 5/8/2026
CRITICAL 9.9 npm
GHSA-hqr4-h3xv-9m3r · CVE-2026-42232 n8n has XML Node Prototype Pollution that to RCE
Modified: 5/8/2026
CRITICAL npm
GHSA-hv53-3329-vmrm · CVE-2026-25056 n8n Merge Node has Arbitrary File Write leading to RCE
Modified: 2/4/2026
HIGH 7.4 npm
GHSA-hv7x-3x78-gx53 n8n: Wrong OAuth Scope On Evaluations Test Run Creation Endpoint
Modified: 6/16/2026
HIGH 7.1 npm
GHSA-j4p8-h8mh-rh8q · CVE-2025-68697 Self-hosted n8n has Legacy Code node that enables arbitrary file read/write
Modified: 12/31/2025
MEDIUM 6.5 npm
GHSA-jf52-3f2h-h9j5 · CVE-2026-21894 n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
Modified: 2/3/2026
MEDIUM 4.8 npm
GHSA-jh8h-6c9q-7gmw n8n has an Authentication Bypass in its Chat Trigger Node
Modified: 2/26/2026
CRITICAL npm
GHSA-jjpj-p2wh-qf23 · CVE-2026-27495 n8n has a Sandbox Escape in its JavaScript Task Runner
Modified: 2/28/2026
HIGH 7.7 npm
GHSA-jpq7-226w-6cxx · CVE-2026-54313 n8n: NoSQL Injection in MongoDB Node Find And Replace Operation
Modified: 6/16/2026
HIGH 7.2 npm
GHSA-jvc7-762p-3743 · CVE-2026-54308 n8n: Missing Token Validation on Microsoft Agent 365 Trigger and Stripe Nodes
Modified: 6/16/2026
CRITICAL 9.9 npm
GHSA-m63j-689w-3j35 · CVE-2026-33663 n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition
Modified: 3/25/2026
HIGH npm
GHSA-m82q-59gv-mcr9 · CVE-2026-25055 n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node
Modified: 2/4/2026
HIGH npm
GHSA-mhrx-qhrj-673w · CVE-2026-44792 n8n Has a Source Control Pull SQL Injection
Modified: 5/14/2026
CRITICAL 9.9 npm
GHSA-mmgg-m5j7-f83h · CVE-2026-27494 n8n has Arbitrary File Read via Python Code Node Sandbox Escape
Modified: 2/28/2026
MEDIUM 6.8 npm
GHSA-mp4j-h6gh-f6mp · CVE-2026-42229 n8n has SQL Injection in SeaTable Node
Modified: 5/8/2026
MEDIUM 4.0 npm
GHSA-mqpr-49jj-32rc n8n: Webhook Forgery on Github Webhook Trigger
Modified: 2/26/2026
MEDIUM 4.1 npm
GHSA-mvh4-2cm2-6hpg · CVE-2025-58177 Stored XSS in n8n LangChain Chat Trigger Node via initialMessages Parameter
Modified: 9/15/2025
CRITICAL 9.9 npm
GHSA-mxrg-77hm-89hv · CVE-2026-33696 n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE
Modified: 3/26/2026
MEDIUM 6.5 npm
GHSA-p58x-7733-vp9m · CVE-2023-27562 n8n Directory Traversal vulnerability
Modified: 11/8/2023
MEDIUM 4.9 npm
GHSA-pr9r-gxgp-9rm8 · CVE-2025-49595 n8n Vulnerable to Denial of Service via Malformed Binary Data Requests
Modified: 7/3/2025
MEDIUM 5.4 npm
GHSA-q4fm-pjq6-m63g n8n has a Stored XSS Vulnerability in its Form Trigger
Modified: 3/27/2026
CRITICAL 10.0 npm
GHSA-q5f4-99jv-pgg5 · CVE-2026-42231 n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE
Modified: 5/8/2026
HIGH 8.9 npm
GHSA-qfc3-hm4j-7q77 · CVE-2026-33749 n8n Vulnerable to XSS via Binary Data Inline HTML Rendering
Modified: 3/26/2026
HIGH npm
GHSA-qpq4-pw7f-pp8w · CVE-2026-25054 n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI
Modified: 2/4/2026
HIGH 8.5 npm
GHSA-r4v6-9fqc-w5jr · CVE-2026-42226 n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay
Modified: 5/8/2026
CRITICAL 9.8 npm
GHSA-r6jc-mpqw-m755 · CVE-2026-42233 n8n has SQL Injection in Oracle Database Node via Limit Field
Modified: 5/8/2026
HIGH 7.5 npm
GHSA-r9xw-p7wj-w792 · CVE-2023-27564 n8n Information Disclosure vulnerability
Modified: 11/8/2023
CRITICAL 9.9 npm
GHSA-v364-rw7m-3263 · CVE-2026-21877 n8n Vulnerable to RCE via Arbitrary File Write
Modified: 2/3/2026
CRITICAL 10.0 npm
GHSA-v4pr-fm98-w9pg · CVE-2026-21858 n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling
Modified: 2/3/2026
HIGH 7.6 npm
GHSA-v733-mwr6-fgcm · CVE-2026-54301 n8n: Same-Origin XSS in Respond to Webhook Node
Modified: 6/16/2026
CRITICAL 9.9 npm
GHSA-v98v-ff95-f3cp · CVE-2025-68613 n8n Vulnerable to Remote Code Execution via Expression Injection
Modified: 3/13/2026
MEDIUM 6.3 npm
GHSA-vjf3-2gpj-233v n8n has an SSO Enforcement Bypass in its Self-Service Settings API
Modified: 2/26/2026
CRITICAL 9.9 npm
GHSA-vpcf-gvg4-6qwr · CVE-2026-27577 n8n: Expression Sandbox Escape Leads to RCE
Modified: 2/28/2026
MEDIUM 4.7 npm
GHSA-vpgc-2f6g-7w7x · CVE-2026-33720 n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK
Modified: 3/25/2026
MEDIUM 4.1 npm
GHSA-w673-8fjw-457c n8n: Authenticated XSS and Open Redirect via Form Node
Modified: 3/27/2026
MEDIUM 4.8 npm
GHSA-w83q-mcmx-mh42 · CVE-2026-33751 n8n Vulnerable to LDAP Filter Injection in LDAP Node
Modified: 3/26/2026
MEDIUM 5.3 npm
GHSA-w96v-gf22-crwp · CVE-2025-68949 n8n: Webhook Node IP Whitelist Bypass via Partial String Matching
Modified: 2/3/2026
CRITICAL npm
GHSA-wpqc-h9wp-chmq · CVE-2025-65964 n8n vulnerable to Remote Code Execution via Git Node Custom Pre-Commit Hook
Modified: 12/9/2025
CRITICAL npm
GHSA-wrwr-h859-xh2r · CVE-2026-44791 n8n Has an XML Node Prototype Pollution Patch Bypass
Modified: 5/14/2026
CRITICAL 9.9 npm
GHSA-wxx7-mcgf-j869 · CVE-2026-27497 n8n has Potential Remote Code Execution via Merge Node
Modified: 2/28/2026
HIGH 8.5 npm
GHSA-x2mw-7j39-93xq · CVE-2026-27498 n8n has Arbitrary Command Execution via File Write and Git Operations
Modified: 2/28/2026
HIGH 8.8 npm
GHSA-xgp7-7qjq-vg47 · CVE-2025-62726 n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook
Modified: 10/30/2025
MEDIUM 6.5 npm
GHSA-xvh5-5qg4-x9qp · CVE-2026-27496 n8n has In-Process Memory Disclosure in its Task Runner
Modified: 3/27/2026