CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.14)

CVE-2026-54305
Critical

In n8n before versions 1.123.55, 2.25.7, and 2.26.2, three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing relationship could enumerate credential identifiers, names, and types referenced by any private workflow in the instance, initiate an OAuth authorization flow against another user's credential to overwrite its stored tokens with tokens bound to an account they control, or revoke another user's stored credential tokens entirely.

CVE-2026-54304
High

In n8n before versions 1.123.55, 2.25.7, and 2.26.1, an authenticated user with permission to create or modify workflows and access to a SecurityScorecard credential with limited allowed domains could configure the SecurityScorecard node's report download operation to target an attacker-controlled URL. The node attached the SecurityScorecard API token to the outbound request, causing the credential to be sent to the attacker-controlled host bypassing credential configured limitations and exfiltrating.

CVE-2026-54302
Medium

In n8n before versions 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious webhookId. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's session privileges.

CVE-2026-54301
Medium

In n8n before versions 1.123.55, 2.25.7, and 2.26.2, an authenticated user with workflow edit access could configure a Respond to Webhook node to serve binary content with an attacker-controlled Content-Type. The binary response path bypassed the central Content-Security-Policy sandbox header, allowing a public webhook to execute JavaScript in the n8n origin when visited by an authenticated user, with access to that user's session.

CVE-2026-50574
High

A vulnerability in yt-dlp prior to version 2026.06.09 allows an attacker to write arbitrary files by passing unsanitized input to the external tool aria2c when downloading HLS/DASH streams. On Windows systems this leads to immediate arbitrary code execution, while on other platforms code execution occurs on the next yt-dlp invocation.

CVE-2026-50023
High

In yt-dlp before version 2026.06.09, a vulnerability was discovered that allows a remote attacker to write malicious OS-shortcut files (such as .desktop, .url, .webloc) to the user's filesystem. The issue stems from an incorrect allowlist that includes unsafe file extensions, bypassing the fixes for CVE-2024-38519. This vulnerability is fixed in version 2026.06.09.

CVE-2026-50019
Medium

Vulnerability in yt-dlp from version 2023.09.24 to 2026.06.09 causes cookie leakage to an unintended host when using curl as an external downloader. The issue occurs during HTTP redirects or when the fragment host differs from the parent manifest host.

CVE-2026-49465
High

In n8n before versions 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows could supply a local filesystem path as the source repository in the Git node's Clone operation, or as the target repository in the Push operation, bypassing the N8N_RESTRICT_FILE_ACCESS_TO file sandbox. This allowed the contents of any local git repository accessible to the n8n process to be cloned into an allowed path and read, circumventing the access restrictions that correctly blocked direct file reads to the same paths.

CVE-2026-49444
High

In n8n, an open source workflow automation platform, prior to versions 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container.

CVE-2026-48520
Medium

In Langflow before version 1.10.0, the 'Shareable Playground' ('Public Flows') feature allowed public execution of flows. The execution request could contain a list of files read by Langflow and fed into the LLM, enabling arbitrary file reads from local or S3 paths depending on configuration.

CVE-2026-48519
Critical

Langflow before version 1.9.2 contains a critical RCE vulnerability in the 'Shareable Playground' feature. Unauthenticated users can execute arbitrary Python code by sending a crafted request to the /api/v1/build_public_tmp endpoint with the field data.nodes[X].data.node.template.code.value.

CVE-2026-45732
High

In n8n before versions 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control.

CVE-2026-44961
Unknown

The addUser method in the XML-RPC API has a validation bypass introduced in the fix for CVE-2025-55129. API users could create usernames that enabled impersonation or stored XSS attacks.

CVE-2026-44960
Unknown

CVE-2026-44960 involves a stored XSS that can be exploited by leveraging usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation.

CVE-2026-44959
High

A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low-privileged user could add an unexpected component parameter and inject malicious PHP code into the compiledlimitations field, which would then be executed during banner delivery.

CVE-2026-44958
Medium

The vulnerability allows advertiser-level users to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The banner-edit.php script allowed the banner status to be overwritten solely based on banner edit permissions.

CVE-2026-44957
Medium

A missing access control check when invoking various modify methods in the XML-RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships.

CVE-2026-44956
Unknown

Low-privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system-generated emails, whose content is stored in the details field of the userlog table.

CVE-2026-44792
Critical

n8n is an open source workflow automation platform. Prior to versions 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name, potentially leading to SQL injection.

CVE-2026-44791
Critical

n8n is an open source workflow automation platform. Prior to versions 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-42232 in the XML node, potentially leading to RCE on the n8n host.

PreviousPage 241 of 4558Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS