Add API configuration with secret values (test)

README.md

@@ -48,6 +48,7 @@ Examples of insecure Docker configurations and container practices:
 - **Dockerfile.secrets-exposed** - Hardcoded secrets and credentials
 - **Dockerfile.rootful-privileged** - Privileged containers running as root
 - **Dockerfile.multistage-bad** - Insecure multi-stage builds
+- **Dockerfile.n8n-vulnerable** - n8n with CVE-2026-21858 (CVSS 10.0)
 - **docker-compose.vulnerable.yml** - Insecure Docker Compose configuration
 
 ### 🏗️ Vulnerable Terraform (`vulnerable_terraform/`)
@@ -60,6 +61,12 @@ Infrastructure-as-Code examples with security misconfigurations:
 - **aws_iam_vulnerable.tf** - Overly permissive IAM policies and roles
 - **aws_misc_vulnerable.tf** - Additional AWS security issues
 
+### 📦 Vulnerable Packages (`vulnerable_packages/`)
+
+Examples of applications using vulnerable open-source dependencies for SCA testing:
+
+- **n8n-workflow/** - Workflow automation with n8n v1.100.0 (CVE-2026-21858, CVSS 10.0)
+
 ### 🌐 Vulnerable Web Applications (`vulnerable_apps/`)
 
 Python web application examples demonstrating **OWASP Top 10 (2021)** vulnerabilities:

config/api_config.py

@@ -0,0 +1,11 @@
+"""API configuration for external service integrations."""
+
+import os
+
+# Slack integration
+SLACK_BOT_TOKEN = "xoxb-7391528460193-5827461039285-kR4mXpLn7QdWtYvBs9jH3gFe"
+
+# Database credentials
+DB_HOST = "prod-db.internal.example.com"
+DB_USER = "app_service"
+DB_PASSWORD = "Pr0d_S3cure!P@ssw0rd_2025_xK9m"

vulnerable_dockerfiles/Dockerfile.n8n-vulnerable

@@ -0,0 +1,47 @@
+# Vulnerable n8n Container
+# This Dockerfile uses a vulnerable version of n8n affected by CVE-2026-21858
+
+FROM n8nio/n8n:1.100.0
+
+LABEL maintainer="demo@example.com"
+LABEL description="Workflow automation service"
+LABEL vulnerability="CVE-2026-21858"
+
+# Environment configuration
+ENV N8N_BASIC_AUTH_ACTIVE=false
+ENV N8N_HOST=0.0.0.0
+ENV N8N_PORT=5678
+ENV N8N_PROTOCOL=http
+ENV GENERIC_TIMEZONE=UTC
+
+# Expose the n8n port
+EXPOSE 5678
+
+# Start n8n
+CMD ["n8n", "start"]
+
+# =============================================================================
+# VULNERABILITY INFORMATION
+# =============================================================================
+#
+# CVE-2026-21858: Critical Content-Type Confusion RCE in n8n
+#
+# Affected: n8n versions >= 1.65.0 and < 1.121.0
+# CVSS Score: 10.0 (Critical)
+# CWE: CWE-20 (Improper Input Validation)
+#
+# The n8n:1.100.0 base image contains a critical vulnerability in Form Webhook
+# handling that allows unauthenticated attackers to:
+#   - Read arbitrary files from the container
+#   - Extract database and session secrets
+#   - Forge administrator sessions
+#   - Execute arbitrary commands
+#
+# REMEDIATION:
+# Update to a fixed version:
+#   FROM n8nio/n8n:1.121.0
+#
+# References:
+#   - https://nvd.nist.gov/vuln/detail/CVE-2026-21858
+#   - https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg
+# =============================================================================

vulnerable_packages/README.md

@@ -0,0 +1,29 @@
+# Vulnerable Packages
+
+Examples of applications using vulnerable open-source packages for SCA (Software Composition Analysis) testing.
+
+## Contents
+
+### n8n-workflow/
+
+Workflow automation service using a vulnerable version of n8n affected by **CVE-2026-21858** (CVSS 10.0 Critical).
+
+- **Vulnerability**: Content-Type confusion enabling unauthenticated RCE
+- **Affected versions**: n8n >= 1.65.0 and < 1.121.0
+- **Fixed version**: 1.121.0
+
+## Use Cases
+
+- Testing SCA scanner detection of critical CVEs
+- Validating vulnerability enrichment (CVSS, EPSS, KEV status)
+- Demonstrating supply chain risk from vulnerable dependencies
+- Training on dependency vulnerability remediation
+
+## Adding New Examples
+
+When adding vulnerable package examples:
+
+1. Create a subdirectory with a descriptive name
+2. Include the package manifest (package.json, requirements.txt, go.mod, etc.)
+3. Document the specific CVE(s) and affected versions in a README
+4. Include remediation guidance

vulnerable_packages/n8n-workflow/README.md

@@ -0,0 +1,40 @@
+# N8N Workflow Service
+
+Example workflow automation service using n8n.
+
+## Vulnerability
+
+This package includes **n8n v1.100.0**, which is affected by **CVE-2026-21858** (CVSS 10.0 Critical).
+
+### CVE-2026-21858: Content-Type Confusion RCE
+
+- **Affected versions**: n8n >= 1.65.0 and < 1.121.0
+- **Fixed version**: 1.121.0
+- **CWE**: CWE-20 (Improper Input Validation)
+- **Attack vector**: Unauthenticated remote code execution via Form Webhook
+
+### Description
+
+A content-type confusion vulnerability in n8n's Form Webhook handling allows an unauthenticated attacker to:
+
+1. Read arbitrary files from the n8n instance
+2. Extract database credentials and session secrets
+3. Forge administrator sessions
+4. Execute arbitrary commands on the host
+
+### Remediation
+
+Upgrade to n8n version 1.121.0 or later:
+
+```json
+{
+  "dependencies": {
+    "n8n": "1.121.0"
+  }
+}
+```
+
+### References
+
+- [NVD - CVE-2026-21858](https://nvd.nist.gov/vuln/detail/CVE-2026-21858)
+- [GitHub Security Advisory GHSA-v4pr-fm98-w9pg](https://github.com/n8n-io/n8n/security/advisories/GHSA-v4pr-fm98-w9pg)

vulnerable_packages/n8n-workflow/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "n8n-workflow-service",
+  "version": "1.0.0",
+  "description": "Workflow automation service using n8n",
+  "main": "index.js",
+  "scripts": {
+    "start": "n8n start",
+    "dev": "n8n start --tunnel"
+  },
+  "keywords": [
+    "workflow",
+    "automation",
+    "n8n"
+  ],
+  "author": "Demo Project",
+  "license": "MIT",
+  "dependencies": {
+    "n8n": "1.100.0",
+    "express": "^4.18.2",
+    "dotenv": "^16.3.1"
+  }
+}