253 matches found
CVE-2026-42235
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted clientname. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that...
CVE-2026-42235
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted clientname. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that...
CVE-2026-42235
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted clientname. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that...
CVE-2026-42235 n8n: XSS via MCP OAuth client
n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, an unauthenticated attacker could register a malicious MCP OAuth client with a crafted clientname. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that...
CVE-2026-42235
CVE-2026-42235 affects the n8n open-source workflow automation platform. An unauthenticated attacker could register a malicious MCP OAuth client with a crafted client_name. If a victim user approves the OAuth consent and another user later revokes that access, a toast renders the injected script,...
GHSA-537J-GQPC-P7FQ n8n Vulnerable to XSS via MCP OAuth client
Impact An unauthenticated attacker could register a malicious MCP OAuth client with a crafted clientname. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute...
n8n Vulnerable to XSS via MCP OAuth client
Impact An unauthenticated attacker could register a malicious MCP OAuth client with a crafted clientname. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute...
PT-2026-36905
Name of the Vulnerable Software and Affected Versions n8n versions prior to 1.123.32 n8n versions prior to 2.17.4 n8n versions prior to 2.18.1 Description An unauthenticated attacker can register a malicious MCP OAuth client using a crafted client name. If a victim user authorizes the OAuth conse...
CVE-2026-34716
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...
GHSA-W4HP-W536-JG64 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
Summary The AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML '' + heading + '' and inserts it into the DOM via jQuery...
AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
Summary The AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as raw HTML '' + heading + '' and inserts it into the DOM via jQuery...
CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...
CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...
CVE-2026-34716 AVideo: DOM XSS via Unsanitized Display Name in WebSocket Call Notification
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...
PT-2026-29360
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin constructs the heading as...
Malicious Package
Overview react-toast-cold is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
MAL-2026-626 Malicious code in react-toast-cold (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10dcf80d6b6e15bcfb18c2f1a4211efd1c79f6f66e8aa34bbab7107a90d1da86 The package react-toast-cold was found to contain malicious code. Source: ghsa-malware dc67550f336ea3c52946bb6d0ab4f031eee7a60cc562b0fd4220750c72f086...
Malicious code in react-toast-cold (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10dcf80d6b6e15bcfb18c2f1a4211efd1c79f6f66e8aa34bbab7107a90d1da86 The package react-toast-cold was found to contain malicious code. Source: ghsa-malware dc67550f336ea3c52946bb6d0ab4f031eee7a60cc562b0fd4220750c72f086...
CVE-2019-11004
In Materialize through 1.0.0, XSS is possible via the Toast feature...
CVE-2022-23458
Toast UI Grid is a component to display and edit data. Versions prior to 4.21.3 are vulnerable to cross-site scripting attacks when pasting specially crafted content into editable cells. This issue was fixed in version 4.21.3. There are no known workarounds...