Python

JFrog discovered two sandbox escape flaws in n8n: CVE-2026-1470 (CVSS 9.9) bypasses JavaScript sandboxing via deprecated 'with' statement, and CVE-2026-0863 (CVSS 8.5) escapes Python restrictions via AttributeError.obj.

Packages 'spellcheckerpy' and 'spellcheckpy' downloaded over 1,000 times use multi-layer encryption and fileless execution to deliver cryptocurrency-stealing RAT. Same threat actor linked to November 2025 campaign.