CVE-2025-69206 Hemmelig has SSRF Filter bypass in Secret Request functionality

Hemmelig is a messing app with with client-side encryption and self-destructing messages. Prior to version 7.3.3, a Server-Side Request Forgery SSRF filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private ...

CVE-2025-69206

CVE-2025-69206 (Hemmelig) describes an SSRF filter bypass in the Secret Requests webhook URL validation prior to version 7.3.3. The isPublicUrl check blocks private IPs by hostname patterns, but can be bypassed via DNS rebinding (e.g., localtest.me) or open redirects, allowing an authenticated us...

CVE-2025-61914

n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting XSS vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the...

PT-2025-53754

Name of the Vulnerable Software and Affected Versions Hemmelig versions prior to 7.3.3 Description A Server-Side Request Forgery SSRF filter bypass exists in the webhook URL validation of the Secret Requests feature in Hemmelig, a messaging app with client-side encryption and self-destructing...

Hemmelig 安全漏洞

Hemmelig is a content encryption software from Hemmelig Open Source. A security vulnerability exists in Hemmelig versions prior to 7.3.3 that stems from an SSRF filter bypass in Webhook URL validation, which could lead to server-side request forgery attacks...

CVE-2025-61914

n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting XSS vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the...

CVE-2025-61914

Summary: CVE-2025-61914 affects n8n before version 1.114.0, where a stored XSS in the “Respond to Webhook” node could execute malicious JavaScript in the editor interface. The root cause is HTML responses with executable scripts not sandboxed as in 1.103.0, enabling a user with workflow creation ...

CVE-2025-61914 n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox

n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting XSS vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the...

CVE-2025-61914 n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox

n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting XSS vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the...

CVE-2025-61914 n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox

n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting XSS vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the...

Cross-site Scripting (XSS)

Overview n8n is a n8n Workflow Automation Tool Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Respond to Webhook node when it responds with HTML content containing executable scripts. An attacker can execute arbitrary JavaScript in the context of the editor...

EUVD-2025-205456

n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox...

n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox

Summary A stored Cross-Site Scripting XSS vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced ...

GHSA-58JC-RCG5-95F3 n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox

Summary A stored Cross-Site Scripting XSS vulnerability may occur in n8n when using the “Respond to Webhook” node. When this node responds with HTML content containing executable scripts, the payload may execute directly in the top-level window, rather than within the expected sandbox introduced ...

PT-2025-53603

Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.114.0 Description n8n is a workflow automation platform. A stored Cross-Site Scripting XSS issue may occur when using the “Respond to Webhook” node in versions before 1.114.0. If this node responds with HTML content...

n8n 跨站脚本漏洞

n8n is a scalable workflow automation tool from n8n open source. A cross-site scripting vulnerability exists in versions prior to n8n 1.114.0 that stems from the Respond to Webhook node not being properly sandboxed when processing HTML content, which could lead to an attacker with workflow creati...

Permissive List of Allowed Inputs

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Permissive List of Allowed Inputs in the Webhook Node's IP whitelist validation due to includes method performing partial string matching instead of exact IP comparison. An attacker can gain...

📄 Crafty Controller 4.6.1 Remote Code Execution / Server-Side Template Injection

Crafty Controller version 4.6.1 allows authenticated remote attackers to execute arbitrary system commands on the target server through server-side template injection the webhook configuration feature...

CVE-2025-14700

An input neutralization vulnerability in the Webhook Template component of Crafty Controller allows a remote, authenticated attacker to perform remote code execution via Server Side Template Injection...

SUSE CVE-2017-18870

An issue was discovered in Mattermost Server before 4.5.0, 4.4.5, and 4.3.4. It mishandled webhook access control in the EnableOnlyAdminIntegrations case...