projectdiscovery · eyangfeng88-arch · Apr 17, 2026 · Apr 17, 2026 · Apr 17, 2026
diff --git a/batch5/CVE-2026-1470.yaml b/batch5/CVE-2026-1470.yaml
@@ -0,0 +1,149 @@
+id: CVE-2026-1470
+
+info:
+  name: n8n - Authenticated Remote Code Execution via Expression Sandbox Bypass
+  author: eyangfeng88-arch
+  severity: critical
+  description: |
+    n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system.
+    Authenticated users can bypass the Expression sandbox mechanism using JavaScript `with` statements to achieve
+    full remote code execution on n8n's main node. The vulnerability affects the Expression Node where user-supplied
+    expressions are evaluated without sufficient isolation from the underlying runtime.
+
+    Attack vector: Authenticated user creates/modifies a workflow with malicious expression like:
+    {{ (function(){ var constructor = 123; with(function(){}){ return constructor("return process.mainModule.require('child_process').execSync('id').toString()")() } })() }}
+
+    Affected versions:
+    - n8n < 1.123.17
+    - n8n >= 2.0.0, < 2.4.5
+    - n8n >= 2.5.0, < 2.5.1
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-1470
+    - https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04
+    - https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/
+  classification:
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 9.9
+    cve-id: CVE-2026-1470
+    cwe-id: CWE-95
+  metadata:
+    vendor: n8n
+    product: n8n
+    shodan-query: http.title:"n8n"
+    affected_versions:
+      - n8n < 1.123.17
+      - n8n >= 2.0.0, < 2.4.5
+      - n8n >= 2.5.0, < 2.5.1
+    patched_versions:
+      - n8n >= 1.123.17
+      - n8n >= 2.4.5
+      - n8n >= 2.5.1
+  tags: cve,cve2026,n8n,rce,authenticated,eval-injection,workflow,sandbox-escape
+
+http:
+  # Step 1: Detect n8n instance
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "n8n"
+          - "workflow"
+          - "automation"
+        condition: or
+
+      - type: status
+        status:
+          - 200
+          - 302
+
+    extractors:
+      - type: regex
+        part: body
+        name: version
+        regex:
+          - "(?i)n8n[\\s\\-]*(?:version)?\\s*([0-9]+\\.[0-9]+\\.[0-9]+)"
+        group: 1
+        internal: true
+
+  # Step 2: Check health endpoint
+  - method: GET
+    path:
+      - "{{BaseURL}}/healthz"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "ok"
+          - "healthy"
+        condition: or
+
+      - type: status
+        status:
+          - 200
+
+  # Step 3: Check REST API version endpoint (may require auth)
+  - method: GET
+    path:
+      - "{{BaseURL}}/rest/version"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "version"
+
+      - type: status
+        status:
+          - 200
+          - 401
+
+    extractors:
+      - type: json
+        part: body
+        name: api_version
+        json:
+          - ".version"
+        internal: true
+
+  # Step 4: Check workflows endpoint (requires auth)
+  - method: GET
+    path:
+      - "{{BaseURL}}/rest/workflows"
+
+    matchers:
+      - type: status
+        status:
+          - 200
+          - 401
+          - 403
+
+  # Step 5: Version-based vulnerability check
+  - method: GET
+    path:
+      - "{{BaseURL}}/rest/version"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "version"
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: json
+        part: body
+        name: detected_version
+        json:
+          - ".version"
+
+      - type: dsl
+        dsl:
+          - '"Detected n8n version: " + detected_version'
diff --git a/batch5/CVE-2026-34040.yaml b/batch5/CVE-2026-34040.yaml
@@ -0,0 +1,55 @@
+id: CVE-2026-34040
+
+info:
+  name: Docker Engine (Moby) - Authorization Plugin Bypass
+  author: eyangfeng88-arch
+  severity: high
+  description: |
+    A security vulnerability has been detected in Moby (Docker Engine) that allows attackers to bypass authorization plugins (AuthZ).
+    Prior to version 29.3.1, an attacker could make the Docker daemon forward a request to an authorization plugin without the body,
+    potentially allowing a request that would have otherwise been denied. This is an incomplete fix for CVE-2024-41110.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-34040
+    - https://github.com/moby/moby/security/advisories/GHSA-x744-4wpc-v9h2
+    - https://github.com/moby/moby/releases/tag/docker-v29.3.1
+  classification:
+    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
+    cvss-score: 8.8
+    cve-id: CVE-2026-34040
+    cwe-id: CWE-288
+  metadata:
+    vendor: docker
+    product: moby
+    affected_versions:
+      - Moby (Docker Engine) < 29.3.1
+    patched_versions:
+      - Moby (Docker Engine) >= 29.3.1
+  tags: cve,cve2026,docker,moby,authz,bypass,container
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/version"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Docker"
+          - "ApiVersion"
+        condition: or
+
+      - type: status
+        status:
+          - 200
+
+    extractors:
+      - type: json
+        part: body
+        name: version
+        json:
+          - ".Version"
+
+      - type: dsl
+        dsl:
+          - 'compare_versions(version, "<29.3.1")'
diff --git a/batch5/CVE-2026-34793.yaml b/batch5/CVE-2026-34793.yaml
@@ -0,0 +1,66 @@
+id: CVE-2026-34793
+
+info:
+  name: Endian Firewall - Authenticated OS Command Injection
+  author: eyangfeng88-arch
+  severity: high
+  description: |
+    Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands
+    via the DATE parameter to /cgi-bin/logs_firewall.cgi. The DATE parameter value is used to construct
+    a file path that is passed to a Perl open() call, which allows command injection due to incomplete
+    regular expression validation.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-34793
+    - https://www.vulncheck.com/advisories/endian-firewall-cgi-bin-logs-firewall-cgi-date-perl-command-injection
+  classification:
+    cvss-metrics: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
+    cvss-score: 8.7
+    cve-id: CVE-2026-34793
+    cwe-id: CWE-78
+  metadata:
+    vendor: endian
+    product: firewall
+    shodan-query: http.title:"Endian Firewall"
+    affected_versions:
+      - Endian Firewall <= 3.3.25
+    patched_versions:
+      - Endian Firewall > 3.3.25
+  tags: cve,cve2026,endian,firewall,rce,authenticated,command-injection,cgi
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}/"
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Endian Firewall"
+          - "Endian"
+        condition: or
+
+      - type: status
+        status:
+          - 200
+          - 302
+
+    extractors:
+      - type: regex
+        part: body
+        name: version
+        regex:
+          - "(?i)Endian\\s*(?:Firewall)?\\s*(?:version)?\\s*([0-9]+\\.[0-9]+\\.[0-9]+)"
+        group: 1
+
+  - method: GET
+    path:
+      - "{{BaseURL}}/cgi-bin/logs_firewall.cgi"
+
+    matchers:
+      - type: status
+        status:
+          - 200
+          - 401
+          - 403
+          - 302