JFrog

JFrog discovered two sandbox escape flaws in n8n: CVE-2026-1470 (CVSS 9.9) bypasses JavaScript sandboxing via deprecated 'with' statement, and CVE-2026-0863 (CVSS 8.5) escapes Python restrictions via AttributeError.obj.

CVE-2025-62507 is a stack buffer overflow in Redis 8.2's XACKDEL command. JFrog researchers demonstrated full remote code execution is achievable, contradicting the initial 'authentication required' assessment.