NIXPKGS-2026-0752

GitHub issue published 3 months ago

Permalink CVE-2026-33724

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no

https://github.com/n8n-io/n8n/security/advisories/GHSA-43v7-fp2v-68f6 x_refsource_CONFIRM

n8n

==< 2.5.0

Upstream advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-43v7-fp2v-68f6

NIXPKGS-2026-0751

GitHub issue published 3 months ago

Permalink CVE-2026-33663

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

n8n Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition

https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35 x_refsource_CONFIRM

n8n

==>= 2.0.0-rc.0, < 2.13.3
==< 1.123.27
=== 2.14.0

Upstream advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-m63j-689w-3j35

NIXPKGS-2026-0750

GitHub issue published 3 months ago

Permalink CVE-2026-33720

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK

https://github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x x_refsource_CONFIRM

n8n

==< 2.8.0

Upstream advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-vpgc-2f6g-7w7x

NIXPKGS-2026-0749

GitHub issue published 3 months ago

Permalink CVE-2026-33751

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

n8n Vulnerable to LDAP Filter Injection in LDAP Node

https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42 x_refsource_CONFIRM

n8n

==>= 2.0.0-rc.0, < 2.13.3
==< 1.123.27
=== 2.14.0

Upstream advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42

NIXPKGS-2026-0748

GitHub issue published 3 months ago

          Permalink
          
            CVE-2026-1001
          
              updated
            
          2 months, 4 weeks ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          3 months ago
          
          @LeSuisse
          
              accepted
            
          2 months, 4 weeks ago
          
          @LeSuisse
          
              published on GitHub
            
          2 months, 4 weeks ago
          
            Domoticz < 2026.1 Stored XSS via Hardware Configuration Endpoint
          
      https://www.domoticz.com/2026.1/
    
    patchrelease-notes
  
      https://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configura…
    
    third-party-advisory
  
    Domoticz

            <2026.1
          
          3rd party "advisory": https://www.vulncheck.com/advisories/domoticz-stored-xss-via-hardware-configuration-endpoint
Apparently mentioned in upstream release notes https://www.domoticz.com/2026.1/ as "Better XSS prevention"

NIXPKGS-2026-0768

GitHub issue published 3 months ago

          Permalink
          
            CVE-2026-33216
          
        8.6 HIGH
      
        CVSS version (CVSS): 3.1
      
          Attack Vector (AV): Network (N)
        
          Attack Complexity (AC): Low (L)
        
          Privileges Required (PR): None (N)
        
          User Interaction (UI): None (N)
        
          Scope (S): Changed (C)
        
          Confidentiality (C): High (H)
        
          Integrity (I): None (N)
        
          Availability (A): None (N)
        
          Modified Attack Vector (MAV): Network (N)
        
          Modified Attack Complexity (MAC): Low (L)
        
          Modified Privileges Required (MPR): None (N)
        
          Modified User Interaction (MUI): None (N)
        
          Modified Confidentiality (MC): High (H)
        
          Modified Scope (MS): Changed (C)
        
          Modified Integrity (MI): None (N)
        
          Modified Availability (MA): None (N)
        
              updated
            
          2 months, 4 weeks ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          3 months ago
          
          @LeSuisse
          
              accepted
            
          2 months, 4 weeks ago
          
          @LeSuisse
          
              published on GitHub
            
          2 months, 4 weeks ago
          
            NATS has MQTT plaintext password disclosure
          
      https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc
    
    x_refsource_CONFIRM
  
      https://github.com/nats-io/nats-server/commit/b5b63cfc35a57075e09c1f57503d31721bed8099
    
    x_refsource_MISC
  
      https://advisories.nats.io/CVE/secnote-2026-05.txt
    
    x_refsource_MISC
  
    nats-server

            ==< 2.11.15
          
            ==>= 2.12.0-RC.1, < 2.12.6
          
          Upstream advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-v722-jcv5-w7mc

NIXPKGS-2026-0747

GitHub issue published 3 months ago

          Permalink
          
            CVE-2026-3608
          
        7.5 HIGH
      
        CVSS version (CVSS): 3.1
      
          Attack Vector (AV): Network (N)
        
          Attack Complexity (AC): Low (L)
        
          Privileges Required (PR): None (N)
        
          User Interaction (UI): None (N)
        
          Scope (S): Unchanged (U)
        
          Confidentiality (C): None (N)
        
          Integrity (I): None (N)
        
          Availability (A): High (H)
        
          Modified Attack Vector (MAV): Network (N)
        
          Modified Attack Complexity (MAC): Low (L)
        
          Modified Privileges Required (MPR): None (N)
        
          Modified User Interaction (MUI): None (N)
        
          Modified Confidentiality (MC): None (N)
        
          Modified Scope (MS): Unchanged (U)
        
          Modified Integrity (MI): None (N)
        
          Modified Availability (MA): High (H)
        
              updated
            
          2 months, 4 weeks ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          3 months ago
          
          @LeSuisse
          
              ignored
            
                4 packages
                keama
speakeasy-cli
elmPackages.elm-graphql
prometheus-kea-exporter

          2 months, 4 weeks ago
          
          @LeSuisse
          
              accepted
            
          2 months, 4 weeks ago
          
          @LeSuisse
          
              published on GitHub
            
          2 months, 4 weeks ago
          
            Stack overflow in Kea daemons
          
      CVE-2026-3608
    
    vendor-advisory
  
      https://downloads.isc.org/isc/kea/2.6.5
    
    patch
  
      https://downloads.isc.org/isc/kea/3.0.3
    
    patch
  
      http://www.openwall.com/lists/oss-security/2026/03/25/6
    
    Kea

            =<3.0.2
          
            =<2.6.4
          
          Upstream advisory: https://kb.isc.org/docs/cve-2026-3608
https://downloads.isc.org/isc/kea/3.0.3

NIXPKGS-2026-0769

GitHub issue published 3 months ago

          Permalink
          
            CVE-2026-27496
          
              updated
            
          2 months, 4 weeks ago
          by @LeSuisse
        
      Activity log
    
              Created suggestion
            
          3 months ago
          
          @LeSuisse
          
              ignored
            
                3 packages
                n8n-nodes-carbonejs
n8n-nodes-evolution-api
n8n-task-runner-launcher

          2 months, 4 weeks ago
          
          @LeSuisse
          
              accepted
            
          2 months, 4 weeks ago
          
          @LeSuisse
          
              published on GitHub
            
          2 months, 4 weeks ago
          
            n8n has In-Process Memory Disclosure in its Task Runner
          
      https://github.com/n8n-io/n8n/security/advisories/GHSA-xvh5-5qg4-x9qp
    
    x_refsource_CONFIRM
  
      https://docs.n8n.io/hosting/configuration/task-runners
    
    x_refsource_MISC
  
      https://docs.n8n.io/hosting/securing/blocking-nodes
    
    x_refsource_MISC
  
    n8n

            ==>= 2.0.0-rc.0, < 2.9.3
          
            ==>= 2.10.0, < 2.10.1
          
            ==< 1.123.22
          
          Upstream advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-xvh5-5qg4-x9qp

NIXPKGS-2026-0773

GitHub issue published 3 months ago

Permalink CVE-2026-33696

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

n8n Vulnerable to Prototype Pollution in XML & GSuiteAdmin node parameters lead to RCE

https://github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv x_refsource_CONFIRM

n8n

==>= 2.0.0-rc.0, < 2.13.3
==< 1.123.27
=== 2.14.0

Upstream advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-mxrg-77hm-89hv

NIXPKGS-2026-0772

GitHub issue published 3 months ago

Permalink CVE-2026-33660

updated 2 months, 4 weeks ago by @LeSuisse Activity log

Created suggestion 3 months ago
@LeSuisse ignored
3 packages
- n8n-nodes-carbonejs
- n8n-nodes-evolution-api
- n8n-task-runner-launcher
2 months, 4 weeks ago
@LeSuisse accepted 2 months, 4 weeks ago
@LeSuisse published on GitHub 2 months, 4 weeks ago

n8n Has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode

https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v x_refsource_CONFIRM

n8n

==>= 2.0.0-rc.0, < 2.13.3
==< 1.123.27
=== 2.14.0

Upstream advisory: https://github.com/n8n-io/n8n/security/advisories/GHSA-58qr-rcgv-642v

Nixpkgs security tracker

Published issues

n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no

n8n Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition

n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK

n8n Vulnerable to LDAP Filter Injection in LDAP Node

Domoticz < 2026.1 Stored XSS via Hardware Configuration Endpoint

NATS has MQTT plaintext password disclosure

Stack overflow in Kea daemons

n8n has In-Process Memory Disclosure in its Task Runner

n8n Vulnerable to Prototype Pollution in XML & GSuiteAdmin node parameters lead to RCE

n8n Has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode