Package impact
npm / n8n
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42233 | critical | 9.8 | 9.8 | 1mo ago | n8n has SQL Injection in Oracle Database Node via Limit Field | |||
| CVE-2026-42235 | critical | 9.6 | 9.6 | 1mo ago | n8n Vulnerable to XSS via MCP OAuth client | |||
| CVE-2026-44791 | critical | — | 9.5 | 21d ago | n8n Has an XML Node Prototype Pollution Patch Bypass | |||
| CVE-2026-44790 | critical | — | 9.5 | 21d ago | n8n Has an Arbitrary File Read via Git Node | |||
| CVE-2026-44789 | critical | — | 9.5 | 21d ago | n8n: HTTP Request Node Pagination Prototype Pollution to RCE | |||
| CVE-2026-42228 | medium | 6.5 | 6.5 | 1mo ago | n8n Vulnerable to Hijacking of Unauthenticated Chat Execution | |||
| CVE-2026-42227 | medium | 6.5 | 6.5 | 1mo ago | n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure | |||
| CVE-2026-42230 | medium | 6.1 | 6.1 | 1mo ago | n8n has Open Redirect in MCP OAuth Consent Flow |