A workflow automation platform that allows users to create, automate, and integrate workflows between different services and applications through a visual interface, supporting both cloud-hosted and self-hosted deployments.

n8n is an open source workflow automation platform. Versions starting with 1.65.0 and below 1.121.0 enable an attacker to access files on the underlying server through execution of certain form-based workflows. A vulnerable workflow could grant access to an unauthenticated remote attacker, resulting in exposure of sensitive information stored on the system and may enable further compromise depending on deployment configuration and workflow usage. This issue is fixed in version 1.121.0.

CVE-2026-21858

GitHub Advisory Database

NixOS is a Linux distribution built on top of the Nix package manager. It is completely declarative, its system configurations are reproducible, makes configuration changes reliable and atomic, and eliminates configuration drift.

NixOS

n8n is an open source workflow automation platform. Prior to version 2.0.0, in self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. This allows a workflow editor to perform actions on the n8n host with the same privileges as the n8n process, including: reading files from the host filesystem (subject to any file-access restrictions configured on the instance and OS/container permissions), and writing files to the host filesystem (subject to the same restrictions). This issue has been patched in version 2.0.0. Workarounds for this issue involve limiting file operations by setting N8N_RESTRICT_FILE_ACCESS_TO to a dedicated directory (e.g., ~/.n8n-files) and ensure it contains no sensitive data, keeping N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES=true (default) to block access to .n8n and user-defined config files, and disabling high-risk nodes (including the Code node) using NODES_EXCLUDE if workflow editors are not fully trusted.

CVE-2025-68697

n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands on the host system running n8n, using the same privileges as the n8n process. This issue has been patched in version 2.0.0. Workarounds for this issue involve disabling the Code Node by setting the environment variable NODES_EXCLUDE: "[\"n8n-nodes-base.code\"]", disabling Python support in the Code node by setting the environment variable N8N_PYTHON_ENABLED=false, which was introduced in n8n version 1.104.0, and configuring n8n to use the task runner based Python sandbox via the N8N_RUNNERS_ENABLED and N8N_NATIVE_PYTHON_RUNNER environment variables.

CVE-2025-68668

JavaScript is a high-level, interpreted programming language essential for creating interactive web applications, running directly in web browsers to enable dynamic content and user interface enhancements. It is integral to the web development stack, working seamlessly with HTML and CSS to build responsive and feature-rich websites.

JavaScript

Chainguard is a Linux distribution based on Alpine. It's the commercial version of the Wolfi distro.

Chainguard

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versions 0.3.37 and 1.2.3

CVE-2025-68665

Python is a high-level, general-purpose programming language. Its key feature is the high readability of the code. It supports multiple programming paradigms, including Object-Oriented Programming (OOP) and Functional Programming.

Python

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

CVE-2025-68664

WordPress is a content management system paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes.

WordPress

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to blind SQL Injection via the `order` and `append_where_sql` parameters in all versions up to, and including, 1.6.9.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE-2025-12166

PHP is a general-purpose scripting language that is especially suited for web development.

### Impact
Versions of the Algolia Search & Discovery extension for Magento 2 prior to **3.17.2** and **3.16.2** contain a vulnerability where data read from the database was treated as a trusted source during job execution.
If an attacker is able to modify records used by the extension’s indexing queue, this could result in **arbitrary PHP code execution** when the affected job is processed.
Exploitation requires the ability to write malicious data to the Magento database and for the indexing queue to be enabled.
---
### Patches
This vulnerability has been fixed in the following versions:
- **3.17.2**
- **3.16.2**
Merchants should upgrade to a supported patched version immediately.
Versions outside the supported maintenance window do **not** receive security updates and remain vulnerable.
---
### Workarounds
Upgrading to a patched version is the only recommended remediation.
If an immediate upgrade is not possible, the following temporary risk mitigations may reduce exposure:
- Disable the Algolia indexing queue to prevent queued jobs from being executed.
- Restrict job execution logic to an explicit allowlist of permitted operations.
- Review the contents of the `algoliasearch_queue` table for unexpected or unrecognized entries.
- If queue archiving is enabled, review historical records in `algoliasearch_queue_archive`.
These mitigations are provided as guidance only and do not replace upgrading to a patched version.
---
### References
- Algolia Search & Discovery for Magento 2 releases:
  - [3.16.2](https://github.com/algolia/algoliasearch-magento-2/releases/tag/3.16.2)
  - [3.17.2](https://github.com/algolia/algoliasearch-magento-2/releases/tag/3.17.2)

GHSA-595p-g7xc-c333

Composer

### Impact
Attempting to parse a patch whose filename headers contain the line break characters `\r`, `\u2028`, or `\u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory.
Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed).
The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected.
Finally, a second and lesser bug - a ReDOS - also exhibits when those same line break characters are present in a patch's *patch* header (also known as its "leading garbage"). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse.
### Patches
All vulnerabilities described are fixed in v8.0.3.
### Workarounds
If using a version of jsdiff earlier than v8.0.3, do not attempt to parse patches that contain any of these characters: `\r`, `\u2028`, or `\u2029`.
### References
PR that fixed the bug: https://github.com/kpdecker/jsdiff/pull/649

GHSA-73rr-hh4g-fpgx

### Summary
The `RedirectSlashes` function in middleware/strip.go does not perform correct input validation and can lead to an open redirect vulnerability.
### Details
The `RedirectSlashes` function performs a `Trim` to all forward slash (`/`) characters, while prepending a single one at the begining of the path (Line 52).
However, it does not trim backslashes (`\`).
```go
File: middleware/strip.go
41: func RedirectSlashes(next http.Handler) http.Handler {
...
51: 			// Trim all leading and trailing slashes (e.g., "//evil.com", "/some/path//")
52: 			path = "/" + strings.Trim(path, "/")
...
62: }
```
Also, from version 5.2.2 onwards the `RedirectSlashes` function does not take into consideration the `Host` Header in the redirect response returned. This was done in order to combat another [[vulnerability](https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93)](https://github.com/go-chi/chi/security/advisories/GHSA-vrw8-fxc6-2r93).
The above make it possible for a response in the following form:
```
HTTP/1.1 301 Moved Permanently
Location: /\evil.com
```
The `/\evil.com` will be transformed by most browsers (Chrome, Firefox, etc. not Safari) into `//evil.com` which is a protocol relative URL and will result in a redirect to `evil.com`, essentially making it an open redirect vulnerability.
### PoC
A minimal working example can be seen below.
```go
package main
import (
	"fmt"
	"net/http"
	"github.com/go-chi/chi/v5"
	"github.com/go-chi/chi/v5/middleware"
)
func main() {
	r := chi.NewRouter()
	r.Use(middleware.RedirectSlashes)
	r.Get("/*", func(w http.ResponseWriter, r *http.Request) {
		w.WriteHeader(http.StatusOK)
	})
	fmt.Println("Server starting on port 8081...")
	if err := http.ListenAndServe(":8081", r); err != nil {
		fmt.Printf("Error starting server: %v\n", err)
	}
}
```
And when we request the path `/\evil.com` (needs a second backslash or URL encoding in the terminal), the HTTP Redirect Location is just `/\evil.com` without any domain/Host information.
```bash
$ curl -I  localhost:8081/\\evil.com/
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: /\evil.com
```
```bash
$ curl -I  localhost:8081/%5Cevil.com/
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Location: /\evil.com
```
This opened in a browser (Chrome, Firefox) will result in a transformation to `//evil.com` which in turn will result in a redirect to `evil.com`.
<img width="200" alt="image-20250829115619807" src="https://github.com/user-attachments/assets/44aedad1-64b6-4660-8b26-fad9b4eca036" />
<img width="200" alt="image-20250829115632067" src="https://github.com/user-attachments/assets/b976d47d-1975-469c-abd3-deb907a68db2" />
### Impact
This essentially consists of an open redirect vulnerability, provided that victim users use the most popular browsers (Chrome, Firefox, etc. It does not work in e.g. Safari).
The attacker can construct a malicious URL on a domain of a legitimate website and send it to the victim user. The victim users thinking that they will click on a legitimate website's URL, they will unknowingly be reidrected to an attacker controlled website.
This can lead to credential theft if the victim gets redirected to a phishing website, to malware that is hosted on the attacker controlled website etc. Also, it has a greate reputation / business impact for the affected legitimate website.
In order to exploit this vulnerability the attacker does not need to be authenticated or have ay other priviledge / knowledge regarding the affected application.
CVSS Score: [4.7 (Medium)](https://www.first.org/cvss/calculator/3-0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N)

GHSA-mqqf-5wvp-8fh8

GoLang

Shopware is an open commerce platform. From 6.7.0.0 to before 6.7.6.1, a regression of CVE-2023-2017 leads to an array and array crafted PHP Closure not checked being against allow list for the map(...) override. This vulnerability is fixed in 6.7.6.1.

CVE ID	Severità	Punteggio	Tecnologie	Nome del componente	Exploit CISA KEV	Ha la correzione	Data di pubblicazione
CVE-2026-21858	CRITICAL	10	n8n	n8n	No	Sì	Jan 08, 2026
CVE-2025-68697	MEDIUM	5.4	NixOS	n8n	No	Sì	Dec 26, 2025
CVE-2025-68668	CRITICAL	9.9	NixOS	n8n	No	Sì	Dec 26, 2025
CVE-2025-68665	CRITICAL	9.1	JavaScript	langfuse-fips-2	No	Sì	Dec 23, 2025
CVE-2025-68664	HIGH	8.2	Python	langchain-core	No	Sì	Dec 23, 2025

CVE ID	Severità	Punteggio	Tecnologie	Nome del componente	Exploit CISA KEV	Ha la correzione	Data di pubblicazione
CVE-2025-12166	HIGH	7.5	WordPress	simply-schedule-appointments	No	Sì	Jan 14, 2026
GHSA-595p-g7xc-c333	MEDIUM	6.9	PHP	algolia/algoliasearch-magento-2	No	Sì	Jan 14, 2026
GHSA-73rr-hh4g-fpgx	LOW	N/A	JavaScript	diff	No	Sì	Jan 14, 2026
GHSA-mqqf-5wvp-8fh8	MEDIUM	4.7	N/A	github.com/go-chi/chi	No	Sì	Jan 14, 2026
CVE-2026-23498	HIGH	7.2	PHP	shopware/core	No	Sì	Jan 14, 2026

Database delle vulnerabilità Wiz

Esplora per tecnologia

Filtri popolari

Alto profilo

Più recenti

I numeri delle vulnerabilità

Il buono, il cattivo e il vulnerabile

Ulteriori risorse Wiz

PEACH

Pronti a vedere Wiz in azione?