CVE-2026-56358

Summary

n8n before 1.123.25 (1.x) and before 2.11.2 (2.x), with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger node's CSS sanitization that allows authenticated users to inject malicious scripts. Attackers with workflow creation permissions can inject XSS payloads that execute persistently for all form visitors, enabling form hijacking and phishing attacks.

Affected Software

VendorProductVersion RangeStatus
n8nn8n0 < 1.123.25affected
n8nn8n1.123.25unaffected
n8nn8n2.0.0-rc.0 < 2.11.2affected
n8nn8n2.11.2unaffected
n8nn8n0 < 2.11.2affected
n8nn8n2.11.2unaffected
n8nn8n0 < 1.123.25affected
n8nn8n1.123.25unaffected

Weaknesses

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References