Vulnerabilities in n8n-io
79 resultsCVE-2026-54306MEDIUMn8n: Prototype Pollution enables confused-deputy execution via public webhooksEPSS 0.3%CVE-2026-42237MEDIUMn8n: SQL Injection in Snowflake and MySQL NodesEPSS 0.3%CVE-2025-68949MEDIUMn8n has a Webhook Node IP Whitelist Bypass via Partial String MatchingEPSS 0.3%CVE-2026-33749MEDIUMn8n Vulnerable to XSS via Binary Data Inline HTML RenderingEPSS 0.2%CVE-2026-33751MEDIUMn8n Vulnerable to LDAP Filter Injection in LDAP NodeEPSS 0.2%CVE-2025-68697HIGHSelf-hosted n8n has Legacy Code node that enables arbitrary file read/writeEPSS 0.2%CVE-2026-25051HIGHn8n Improper CSP Enforcement in Webhook Responses May Allow Stored XSSEPSS 0.2%CVE-2025-58177MEDIUMn8n stored cross-site scripting in LangChain Chat Trigger node initialMessages parameterEPSS 0.2%CVE-2025-61914HIGHn8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe SandboxEPSS 0.2%CVE-2026-54301HIGHn8n: Same-Origin XSS in Respond to Webhook NodeEPSS 0.2%CVE-2026-54302HIGHn8n: Stored XSS in Chat Trigger NodeEPSS 0.2%CVE-2025-46343MEDIUMn8n Vulnerable to Stored XSS through Attachments View EndpointEPSS 0.2%CVE-2026-42227MEDIUMn8n: Public API Variables IDOR Allows Cross-Project Secret DisclosureEPSS 0.2%CVE-2025-49592MEDIUMn8n Login Flow has Open Redirect VulnerabilityEPSS 0.2%CVE-2026-25054HIGHn8n is Vulnerable to Stored Cross-Site Scripting via Markdown Rendering in Workflow UIEPSS 0.2%CVE-2026-27578HIGHn8n Vulnerable to Stored XSS via Various NodesEPSS 0.2%CVE-2026-42230MEDIUMn8n: Open Redirect in MCP OAuth Consent FlowEPSS 0.2%CVE-2026-33720MEDIUMn8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACKEPSS 0.2%CVE-2026-54303MEDIUMn8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification EndpointsEPSS 0.2%