n8n vulnerabilities

Browse known CVEs and advisories by package and ecosystem. Severity tells you the worst case. What determines real risk is whether the vulnerable code actually runs in your applications.

Get a demo

Browse by ecosystem

npmPyPIMavenGoRubyGemsCargoNuGetComposerpubSwiftGitHub Actions
CVE-IDSeverityPackage summary
CVE-2026-25049Criticaln8n: n8n Has Expression Escape Vulnerability Leading to RCECVE-2026-21893Criticaln8n: n8n Vulnerable to Command Injection in Community Package InstallationCVE-2025-61917Highn8n: n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task RunnerCVE-2026-1470Criticaln8n: n8n Unsafe Workflow Expression Evaluation Allows Remote Code ExecutionCVE-2025-68949Mediumn8n: n8n: Webhook Node IP Whitelist Bypass via Partial String MatchingCVE-2026-21894Mediumn8n: n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged WebhooksCVE-2026-21858Criticaln8n: n8n Vulnerable to Unauthenticated File Access via Improper Webhook Request HandlingCVE-2026-21877Criticaln8n: n8n Vulnerable to RCE via Arbitrary File WriteCVE-2025-68697Highn8n: Self-hosted n8n has Legacy Code node that enables arbitrary file read/writeCVE-2025-68668Criticaln8n: n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node CVE-2025-61914Highn8n: n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe SandboxCVE-2025-68613Criticaln8n: n8n Vulnerable to Remote Code Execution via Expression InjectionCVE-2025-65964Criticaln8n: n8n vulnerable to Remote Code Execution via Git Node Custom Pre-Commit HookCVE-2025-62726Highn8n: n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit HookGHSA-365G-VJW2-GRX8Highn8n-nodes-base: n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on HostCVE-2025-58177Mediumn8n: Stored XSS in n8n LangChain Chat Trigger Node via initialMessages ParameterCVE-2025-57749Mediumn8n: n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted filesCVE-2025-52478Highn8n: Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/sourceCVE-2025-52554Mediumn8n: n8n is vulnerable to Improper Authorization through its `/stop` endpointCVE-2025-49595Mediumn8n: n8n Vulnerable to Denial of Service via Malformed Binary Data RequestsCVE-2025-49592Mediumn8n: n8n allows open redirects via the /signin endpointCVE-2025-46343Mediumn8n: n8n Vulnerable to Stored XSS through Attachments View EndpointCVE-2023-27562Mediumn8n: n8n Directory Traversal vulnerabilityCVE-2023-27564Highn8n: n8n Information Disclosure vulnerabilityCVE-2023-27563Highn8n: n8n Privilege Escalation vulnerability

Stop the waste.
Protect your environment with Kodem.