PULSE
LIVE17signals / 24h
FEED
ransomdoommageddon reclama a Reni Farmácias Associadas · BR · Healthcareransomunsafe reclama a CCR Solutions · BR · Business Servicesransomqilin reclama a PP+K · BR · Not Foundransomqilin reclama a Eana · AR · Not Foundransomqilin reclama a Synergy Products · TR · Not Foundransomnova reclama a meralmanisa · TR · Not Foundransomnova reclama a Dephub · ID · Not Foundransomnova reclama a Jota Joias Premium · BR · Consumer Servicesransomqilin reclama a Don Tortaco Mexican Grill · US · Hospitality and Tourismransomqilin reclama a Associated Theatrical Contractors · US · Business Servicesransompayload reclama a CKR Consulting Engineers · Business Servicesransomblackout reclama a yano.tokyo · JP · Technologyransomblackout reclama a www.miatech.net · US · Technologyransomblackout reclama a bluebellgroup.com · GB · Not Foundransomdoommageddon reclama a Reni Farmácias Associadas · BR · Healthcareransomunsafe reclama a CCR Solutions · BR · Business Servicesransomqilin reclama a PP+K · BR · Not Foundransomqilin reclama a Eana · AR · Not Foundransomqilin reclama a Synergy Products · TR · Not Foundransomnova reclama a meralmanisa · TR · Not Foundransomnova reclama a Dephub · ID · Not Foundransomnova reclama a Jota Joias Premium · BR · Consumer Servicesransomqilin reclama a Don Tortaco Mexican Grill · US · Hospitality and Tourismransomqilin reclama a Associated Theatrical Contractors · US · Business Servicesransompayload reclama a CKR Consulting Engineers · Business Servicesransomblackout reclama a yano.tokyo · JP · Technologyransomblackout reclama a www.miatech.net · US · Technologyransomblackout reclama a bluebellgroup.com · GB · Not Found
← All CVEs
CVE WatchJul 2, 2026

CVE-2026-56777

n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An auth

CVSS

5.0

Medium

EPSS

0.2%

p16

KEV

Exploit Today

5

0-100

Published: Jun 30, 2026 · Last modified: Jul 2, 2026 · CWE-184

EPSS · 30d
0.2%EPSS · 30 days0.3%
2026-07-012026-07-19
Technical description

n8n before 2.25.7 and 2.26.x before 2.26.2 contains an abstract syntax tree (AST) security validator bypass in the Python Code node. An authenticated user with permission to create or modify workflows containing a Python Code node can bypass the validator and access the task executor module namespace. The issue only affects self-hosted instances where the Python Task Runner is enabled; where N8N_BLOCK_RUNNER_ENV_ACCESS is configured to allow it, this can disclose environment variables accessible to the task runner process.

Official references
Related CVEs
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-344159.8 CRI
88.1%
26Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.5d
CVE-2026-545138.1 HIG
48.9%
15jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.2d
CVE-2026-4986910.0 CRI
48.4%
15Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.18d
CVE-2025-71355
42.5%
13Picklescan before 0.0.25 fails to detect unsafe global functions in the Numpy library, allowing attackers to bypass static analysis and execute arbitrary code during deserialization. Attackers can craft malicious pickle files using numpy.testing._private.utils.runstring within the reduce method to import dangerous libraries like os and execute arbitrary OS commands when the pickle file is loaded.18d
CVE-2026-487368.6 HIG
37.1%
11Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 5.4.0 to 5.4.53, 6.4.41, 7.4.13, and 8.0.13, NoPrivateNetworkHttpClient and IpUtils::PRIVATE_SUBNETS omitted IPv6 transition prefixes such as 6to4, NAT64, Teredo, and IPv4-compatible IPv6, allowing attacker-supplied URLs to represent private IPv4 targets in forms that IpUtils::isPrivateIp() did not block. This issue is fixed in versions 5.4.53, 6.4.41, 7.4.13, and 8.0.13.4d
CVE-2026-485578.8 HIG
35.7%
11Spatie Laravel Media Library before version 11.23.0 contains a file upload restriction bypass in FileAdder::defaultSanitizer(). The sanitizer checks only the final filename suffix, allowing double-extension filenames such as shell.php.jpg to bypass the blocklist, with pathinfo() preserving inner .php stems in saved filenames. The blocklist also omits executable extensions including .php6, .shtml, and .htaccess. The double-extension bypass requires a legacy Apache AddHandler configuration to achieve PHP execution; the incomplete blocklist bypass does not.5d