LOW2.2CVE-2026-54327Pi Agent: Race condition in Pi auth.json writes could expose stored credentials
LOW2.5CVE-2026-54326Pi Agent: Potential XSS in HTML session exports via Markdown URL sanitization bypass
—@nuxt/webpack-builder and @nuxt/rspack-builder dev server same-origin check bypassed when Sec-Fetch-Site, Origin, and Referer are all absent (incomplete fix for GHSA-6m52-m754-pw2g)
HIGH7.7n8n: SecurityScorecard Node Leaks API Token to User-Controlled Host
CRITICAL10.0n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions
CRITICAL9.9n8n: Cross-Tenant Credential Takeover via Dynamic Credentials EE Endpoints
CRITICAL9.6n8n: Credential Exfiltration via Permission Bypass
MEDIUM5.9n8n: Denial of Service via ZIP decompression in webhook workflow
HIGH7.6n8n: Stored XSS in Chat Trigger Node
HIGH7.6n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints
HIGH8.5n8n: Microsoft SQL Node Prototype Pollution
CRITICAL9.0LobeHub: Unauthenticated SSRF in `/webapi/proxy`