OsVault/npm/n8n

npm

n8n

79 known vulnerabilities · 0 critical · 2 high

CVE-2023-27563HIGH

n8n Privilege Escalation vulnerability

Published May 10, 2023

CVE-2025-61917

n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner

Published Feb 4, 2026

CVE-2023-27564HIGH

n8n Information Disclosure vulnerability

Published May 10, 2023

GHSA-mqpr-49jj-32rc

n8n: Webhook Forgery on Github Webhook Trigger

Published Feb 26, 2026

CVE-2026-33713

n8n has SQL Injection in Data Table Node via orderByColumn Expression

Published Mar 26, 2026

CVE-2026-33724

n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no

Published Mar 25, 2026

CVE-2026-27498

n8n has Arbitrary Command Execution via File Write and Git Operations

Published Feb 25, 2026

CVE-2026-33722

n8n Has External Secrets Authorization Bypass in Credential Saving

Published Mar 25, 2026

CVE-2026-33663

n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition

Published Mar 25, 2026

CVE-2026-33660

n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode

Published Mar 25, 2026

CVE-2026-21894

n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks

Published Jan 7, 2026

CVE-2026-27494

n8n has Arbitrary File Read via Python Code Node Sandbox Escape

Published Feb 25, 2026

CVE-2026-33749

n8n Vulnerable to XSS via Binary Data Inline HTML Rendering

Published Mar 26, 2026

CVE-2026-27578

n8n Vulnerable to Stored XSS via Various Nodes

Published Feb 25, 2026

CVE-2026-1470

n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution

Published Jan 27, 2026

CVE-2026-21877

n8n Vulnerable to RCE via Arbitrary File Write

Published Jan 6, 2026

CVE-2026-27493

n8n has Unauthenticated Expression Evaluation via Form Node

Published Feb 25, 2026

CVE-2025-65964

n8n vulnerable to Remote Code Execution via Git Node Custom Pre-Commit Hook

Published Dec 8, 2025

GHSA-w673-8fjw-457c

n8n: Authenticated XSS and Open Redirect via Form Node

Published Mar 27, 2026

CVE-2026-27496

n8n has In-Process Memory Disclosure in its Task Runner

Published Mar 25, 2026

CVE-2026-25631

n8n's domain allowlist bypass enables credential exfiltration

Published Feb 4, 2026

GHSA-364x-8g5j-x2pr

n8n has XSS in its Credential Management Flow

Published Mar 27, 2026

GHSA-3c7f-5hgj-h279

n8n has XSS in Chat Trigger Node through Custom CSS

Published Mar 27, 2026

CVE-2025-68668

n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node

Published Dec 26, 2025

CVE-2026-25053

n8n has OS Command Injection in Git Node

Published Feb 4, 2026

GHSA-f3f2-mcxc-pwjx

n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes

Published Feb 26, 2026

CVE-2026-21858

n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request Handling

Published Jan 7, 2026

GHSA-jh8h-6c9q-7gmw

n8n has an Authentication Bypass in its Chat Trigger Node

Published Feb 26, 2026

CVE-2025-68949

n8n: Webhook Node IP Whitelist Bypass via Partial String Matching

Published Jan 13, 2026

CVE-2026-25055

n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node

Published Feb 4, 2026

CVE-2026-25052

n8n's Improper File Access Controls Allow Arbitrary File Read by Authenticated Users

Published Feb 4, 2026

CVE-2026-25056

n8n Merge Node has Arbitrary File Write leading to RCE

Published Feb 4, 2026

CVE-2025-68697

Self-hosted n8n has Legacy Code node that enables arbitrary file read/write

Published Dec 26, 2025

CVE-2026-33696

n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE

Published Mar 26, 2026

CVE-2026-25054

n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI

Published Feb 4, 2026

CVE-2026-33720

n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK

Published Mar 25, 2026

GHSA-vjf3-2gpj-233v

n8n has an SSO Enforcement Bypass in its Self-Service Settings API

Published Feb 26, 2026

CVE-2026-33751

n8n Vulnerable to LDAP Filter Injection in LDAP Node

Published Mar 26, 2026

CVE-2026-25115

n8n has a Python sandbox escape

Published Feb 4, 2026

GHSA-38c7-23hj-2wgq

n8n has Webhook Forgery on Zendesk Trigger Node

Published Feb 26, 2026

CVE-2025-61914

n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox

Published Dec 26, 2025

CVE-2026-33665

n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover

Published Mar 25, 2026

CVE-2026-27495

n8n has a Sandbox Escape in its JavaScript Task Runner

Published Feb 25, 2026

GHSA-q4fm-pjq6-m63g

n8n has a Stored XSS Vulnerability in its Form Trigger

Published Mar 27, 2026

GHSA-fvfv-ppw4-7h2w

n8n has a Guardrail Node Bypass

Published Feb 26, 2026

CVE-2026-27497

n8n has Potential Remote Code Execution via Merge Node

Published Feb 25, 2026

CVE-2023-27562MEDIUM

n8n Directory Traversal vulnerability

Published May 10, 2023

CVE-2025-68613

n8n Vulnerable to Remote Code Execution via Expression Injection

Published Dec 22, 2025

CVE-2026-27577

n8n: Expression Sandbox Escape Leads to RCE

Published Feb 25, 2026

GHSA-4ggg-h7ph-26qr

n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode

Published Apr 8, 2026

GHSA-75hx-xj24-mqrw

n8n-mcp has unauthenticated session termination and information disclosure in HTTP transport

Published Apr 10, 2026

MAL-2025-191225

Malicious code in @hapheus/n8n-nodes-pgp (npm)

Published Nov 24, 2025

MAL-2025-191399

Malicious code in n8n-nodes-viral-app (npm)

Published Nov 25, 2025

CVE-2025-56265

N8N's Chat Trigger component is vulnerable to XSS

Published Sep 8, 2025

MAL-2026-177

Malicious code in n8n-nodes-ggdv-hdfvcnnje-uyrokvbkl (npm)

Published Jan 9, 2026

MAL-2026-179

Malicious code in n8n-nodes-vbmkajdsa-uehfitvv-ueqjhhhksdlkkmz (npm)

Published Jan 9, 2026

GHSA-pfm2-2mhg-8wpx

n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests

Published Apr 23, 2026

MAL-2026-394

Malicious code in n8n-nodes-zl-vietts (npm)

Published Jan 21, 2026

MAL-2026-1454

Malicious code in n8n-nodes-text-helpers (npm)

Published Mar 15, 2026

MAL-2026-378

Malicious code in @diendh/n8n-nodes-tiktok-v2 (npm)

Published Jan 21, 2026

MAL-2026-557

Malicious code in n8n-nodes-zalo-fevox (npm)

Published Jan 28, 2026

MAL-2026-558

Malicious code in n8n-zalo-fevox (npm)

Published Jan 28, 2026

MAL-2025-48438

Malicious code in n8n-nodes-phoai-ultimate-tools (npm)

Published Oct 17, 2025

MAL-2026-69

Malicious code in n8n-performance-metrics (npm)

Published Jan 6, 2026

MAL-2025-190977

Malicious code in n8n-nodes-vercel-ai-sdk (npm)

Published Nov 24, 2025

MAL-2026-597

Malicious code in n8n-nodes-comfyui-illu (npm)

Published Jan 29, 2026

MAL-2026-1472

Malicious code in n8n-nodes-xml-utils (npm)

Published Mar 16, 2026

MAL-2026-1467

Malicious code in n8n-nodes-csv-parse (npm)

Published Mar 16, 2026

MAL-2026-1468

Malicious code in n8n-nodes-data-transform (npm)

Published Mar 16, 2026

MAL-2026-1469

Malicious code in n8n-nodes-format-utils (npm)

Published Mar 16, 2026

MAL-2026-178

Malicious code in n8n-nodes-hfgjf-irtuinvcm-lasdqewriit (npm)

Published Jan 9, 2026

MAL-2025-190852

Malicious code in n8n-nodes-tmdb (npm)

Published Nov 24, 2025

MAL-2026-538

Malicious code in n8n-nodes-gasdhgfuy-rejerw-ytjsadx (npm)

Published Jan 27, 2026

MAL-2026-539

Malicious code in n8n-nodes-gg-udhasudsh-hgjkhg-official (npm)

Published Jan 27, 2026

MAL-2026-540

Malicious code in n8n-nodes-xkwqpzrt-jmflhvbn-dsyocgxwmkelpt (npm)

Published Jan 27, 2026

MAL-2026-68

Malicious code in n8n-nodes-performance-metrics (npm)

Published Jan 6, 2026

MAL-2025-4277

Malicious code in n8n-nodes-zalo-user (npm)

Published May 22, 2025

MAL-2026-1470

Malicious code in n8n-nodes-json-helper (npm)

Published Mar 16, 2026

MAL-2026-1471

Malicious code in n8n-nodes-text-utils (npm)

Published Mar 16, 2026

Check your entire dependency tree at onceRun dependency scan →