@regis-samurai/n8n (>=0.216.1 <=0.219.1), n8n-nodes-accelo (>=0.1.0 <=0.1.9) +11 more potentially affected by CVE-2026-33749 via n8n (>=0.138.0 <=0.93.0)

n8n NPM version =0.138.0, =0.216.1, =0.1.0, =0.18.0, =0.1.0, =0.1.0, =0.2.14, =0.1.0, =0.1.0, =0.0.2, =0.0.2, =1.1.3 Source cves: CVE-2026-33749 Source advisory: OSV:GHSA-QFC3-HM4J-7Q77...

CVE-2026-33749

creationtimestamp| type| source ---|---|--- 2026-03-25 21:59:54+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mhw3lomq6p2i 2026-03-27 21:22:34+00:00| seen| Telegram/HCzuKY5MuLPsfoEI5S3ks6iQFEX7xEFL0kHnLhrHZ36Sb0...

CVE-2026-33749

n8n is vulnerable to XSS in versions prior to 1.123.27, 2.13.3, and 2.14.1. An authenticated user who can create or modify workflows could craft a workflow that returns an HTML binary data object via /rest/binary-data without a filename and without Content-Disposition or Content-Security-Policy h...