n8n

A critical flaw in n8n (CVSS 9.4) exploits TypeScript/JavaScript type mismatch to bypass sanitization from a December 2025 patch, enabling authenticated remote command execution via webhook workflows.

JFrog discovered two sandbox escape flaws in n8n: CVE-2026-1470 (CVSS 9.9) bypasses JavaScript sandboxing via deprecated 'with' statement, and CVE-2026-0863 (CVSS 8.5) escapes Python restrictions via AttributeError.obj.

CVE-2026-21858 'Ni8mare' (CVSS 10.0) enables unauthenticated attackers to read files, bypass authentication, and execute commands on n8n servers through a Content-Type confusion flaw.