Description
n8n before 1.123.25 (1.x) and before 2.11.2 (2.x), with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger node's CSS sanitization that allows authenticated users to inject malicious scripts. Attackers with workflow creation permissions can inject XSS payloads that execute persistently for all form visitors, enabling form hijacking and phishing attacks.
Published: 2026-06-24
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw located in the CSS sanitization logic of n8n's Form Trigger node. By exploiting it, attackers who can create or edit workflows can embed arbitrary JavaScript, which then executes every time the corresponding form is visited. This allows attackers to hijack form sessions, collect credentials, inject phishing interfaces, or deface the interface.

Affected Systems

This issue affects the n8n automation platform. Users running n8n 1.x earlier than 1.123.25 or n8n 2.x earlier than 2.11.2 are vulnerable. The vulnerability is addressed in later releases, including 2.12.0.

Risk and Exploitability

The CVSS score is 5.1, indicating a moderate risk. Because the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, exploitation likelihood is unclear. The flaw requires authentication with workflow‑creation rights; attackers can then persistently inject malicious scripts into form visitor browsers. The exploitation does not provide remote code execution but enables persistent client‑side attacks such as phishing and credential theft.

Generated by OpenCVE AI on June 24, 2026 at 13:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade n8n to v1.123.25 or later, or to v2.12.0 or later.
  • Remove or sanitize any Form Trigger nodes that contain injected scripts.
  • Restrict workflow creation permissions to trusted users only.

Generated by OpenCVE AI on June 24, 2026 at 13:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q4fm-pjq6-m63g n8n has a Stored XSS Vulnerability in its Form Trigger
History

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Description n8n before 1.123.25 (1.x) and before 2.11.2 (2.x), with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger node's CSS sanitization that allows authenticated users to inject malicious scripts. Attackers with workflow creation permissions can inject XSS payloads that execute persistently for all form visitors, enabling form hijacking and phishing attacks.
Title n8n - Stored Cross-Site Scripting in Form Trigger Node
First Time appeared N8n
N8n n8n
Weaknesses CWE-79
CPEs cpe:2.3:a:n8n:n8n:*:*:*:*:*:node.js:*:*
Vendors & Products N8n
N8n n8n
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

N8n N8n
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T16:01:44.567Z

Reserved: 2026-06-20T21:16:53.711Z

Link: CVE-2026-56358

cve-icon Vulnrichment

Updated: 2026-06-24T16:01:40.858Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:04:11Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')