CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.13)
In n8n, an open source workflow automation platform, prior to versions 1.123.48, 2.21.8, and 2.22.4, an authenticated user with permission to create or modify workflows containing a Python Code Node could escape the sandbox and achieve arbitrary code execution on the task runner container.
In Langflow before version 1.10.0, the 'Shareable Playground' ('Public Flows') feature allowed public execution of flows. The execution request could contain a list of files read by Langflow and fed into the LLM, enabling arbitrary file reads from local or S3 paths depending on configuration.
Langflow before version 1.9.2 contains a critical RCE vulnerability in the 'Shareable Playground' feature. Unauthenticated users can execute arbitrary Python code by sending a crafted request to the /api/v1/build_public_tmp endpoint with the field data.nodes[X].data.node.template.code.value.
In n8n before versions 1.123.43, 2.22.1, and 2.20.7, the OAuth1 and OAuth2 credential reconnect endpoints authorized access using credential:read rather than credential:update. An authenticated user with read-only access to a shared credential could initiate an OAuth reconnect flow and overwrite the stored token material for that credential with tokens bound to an external account they control.
The addUser method in the XML-RPC API has a validation bypass introduced in the fix for CVE-2025-55129. API users could create usernames that enabled impersonation or stored XSS attacks.
CVE-2026-44960 involves a stored XSS that can be exploited by leveraging usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation.
A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low-privileged user could add an unexpected component parameter and inject malicious PHP code into the compiledlimitations field, which would then be executed during banner delivery.
The vulnerability allows advertiser-level users to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The banner-edit.php script allowed the banner status to be overwritten solely based on banner edit permissions.
A missing access control check when invoking various modify methods in the XML-RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships.
Low-privileged users could use their Full Name as a vector for a stored XSS attack. The name is included in system-generated emails, whose content is stored in the details field of the userlog table.
n8n is an open source workflow automation platform. Prior to versions 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name, potentially leading to SQL injection.
n8n is an open source workflow automation platform. Prior to versions 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could bypass the patch for CVE-2026-42232 in the XML node, potentially leading to RCE on the n8n host.
n8n is an open source workflow automation platform. Prior to versions 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could inject CLI flags on the Git node's Push operation, allowing an attacker to read arbitrary files from the n8n server potentially leading to full compromise.
n8n is an open source workflow automation platform. Prior to versions 1.123.43, 2.22.1, and 2.20.7, an authenticated user with permission to create or modify workflows could achieve global prototype pollution via an unvalidated pagination parameter in the HTTP Request node.
Langflow before version 1.9.0 contains a Path Traversal vulnerability in the Knowledge Bases API (POST /api/v1/knowledge_bases). An authenticated attacker can exploit the lack of input sanitization to create directories and write files anywhere on the server's filesystem.
Low-privileged session IDs generated for the web admin console could be reused in the XML-RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorized access and exploit API-level vulnerabilities.
A missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier could allow a low-privileged user to inject malicious PHP code into the compiledlimitations field on the database, resulting in its execution during banner delivery.
A missing sanitisation of user input in the zone-include.php script of Revive Adserver 6.0.6 and earlier could allow a low-privileged user to exploit the clientid parameter to perform blind SQL injection attacks. Input sanitisation has been improved to ensure that all parameters processed by the script are properly validated.
The zone-include.php script in Revive Adserver version 6.0.6 and earlier lacks proper input sanitisation. A low-privileged user could exploit the clientid parameter to perform blind SQL injection attacks.
A missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlier could allow a low-privileged user to link their trackers to campaigns owned by other managers on the same instance.

