CVE-2026-45707

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLEMULTITENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that...

CVE-2026-45707 n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete

n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. Prior to 2.51.2, when ENABLEMULTITENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that...

CVE-2026-44729 Twenty: Stored Cross-Site Scripting via Unsanitized File Serving (Missing Content-Type/Content-Disposition Headers)

Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/ and /file/:fileFolder/:id serve uploaded files using fileStream.piperes without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an...

CVE-2026-44729

Twenty CRM versions 1.18.0 and earlier expose file serving endpoints at /files/* and /file/:fileFolder/:id that serve uploaded files via fileStream.pipe(res) without Content-Type, Content-Disposition, or X-Content-Type-Options headers. An authenticated attacker can upload an HTML file containing ...

CVE-2026-44729 Twenty: Stored Cross-Site Scripting via Unsanitized File Serving (Missing Content-Type/Content-Disposition Headers)

Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/ and /file/:fileFolder/:id serve uploaded files using fileStream.piperes without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an...

PT-2026-43301

Name of the Vulnerable Software and Affected Versions Twenty versions prior to 1.18.1 Description An issue exists in the file serving endpoints '/files/' and '/file/:fileFolder/:id' where uploaded files are served using fileStream.piperes without specifying Content-Type, Content-Disposition, or...

NPM: n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete

NPM: n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete vulnerability discovered by ? in WordPress Npm n8n-mcp versions = 2.51.1...

Astra Linux - уязвимость в firefox

The fetch API and navigation incorrectly shared the same cache. The cache key did not include the optional headers that fetch might contain. Under the correct circumstances, an attacker could have been able to corrupt the local browser cache by using a fetch response controlled by these additiona...

CVE-2026-33749

n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The /rest/binary-data endpoint served such...

n8n Vulnerable to XSS via Binary Data Inline HTML Rendering

Impact An authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The /rest/binary-data endpoint served such responses inline on the n8n origin without Content-Disposition or Content-Security-Policy...

CVE-2026-33749

n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The /rest/binary-data endpoint served such...

CVE-2026-33749 n8n Vulnerable to XSS via Binary Data Inline HTML Rendering

n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, an authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The /rest/binary-data endpoint served such...

@grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers

Impact The HTTP server does not set Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options headers on any response. This reduces defense-in-depth against XSS, clickjacking, and MIME-sniffing attacks. While the current XSS attack surface is small React-markdown is configured safely, n...

CVE-2026-1696

CVE-2026-1696 describes a vulnerability where HTTP security headers are not properly set by the web server in responses to client applications. Affected component is the web server’s handling of security headers; root cause is misconfiguration or omission of headers in responses. Impact is descri...

EUVD-2026-4903

Dokploy is a free, self-hostable Platform as a Service PaaS. In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into...

CVE-2026-23731

CVE-2026-23731 affects the WeGIA web manager for charitable institutions. Prior to version 3.6.2, the application is vulnerable to clickjacking because it does not send framing protections: missing X-Frame-Options and an unconfigured Content-Security-Policy with frame-ancestors. An attacker could...

CVE-2025-52987 Paragon Automation: A clickjacking vulnerability in the web server configuration has been addressed

A clickjacking vulnerability exists in the web portal of Juniper Networks Paragon Automation Pathfinder, Planner, Insights due to the application's failure to set appropriate X-Frame-Options and X-Content-Type HTTP headers. This vulnerability allows an attacker to trick users into interacting wit...

CVE-2025-52987

CVE-2025-52987 is a clickjacking vulnerability in Juniper Networks Paragon Automation (Pathfinder, Planner, Insights) caused by the web portal failing to set proper X-Frame-Options and X-Content-Type headers. Affected are all Paragon Automation versions prior to 24.1.1. Practical impact described...

Planka 安全漏洞

Planka is a Trello-like Kanban board built with React and Redux by Planka Open Source. A security vulnerability exists in Planka version 2.0.0, which stems from the missing X-Frame-Options and CSP frame-ancestors headers and could lead to a phishing attack...

CVE-2025-34412

The CVE-2025-34412 entry, based on connected documents, concerns the Convercent Whistleblowing Platform (EQ S Group) with a browser/session handling protection mechanism failure. By default deployments omit critical HTTP security headers (Content-Security-Policy, Referrer-Policy, Permissions-Poli...