Back to overview

CVE-2026-56356

MEDIUM
5.4
CVSS 3.1
Description
n8n contains a stored cross-site scripting vulnerability in the Chat Trigger node's Custom CSS field due to a misconfiguration of the sanitize-html library. Affected releases are those before 1.123.27, the 2.0.0 through 2.13.2 line, and 2.14.0 (fixed in 1.123.27, 2.13.3, and 2.14.1). An authenticated user with permission to create or modify workflows can inject JavaScript that bypasses sanitization, resulting in stored XSS against any user who visits the public chat page.

Metadata

CVE ID
CVE-2026-56356
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-20 21:16 UTC
Published
2026-06-30 22:08 UTC
Last updated
2026-06-30 22:08 UTC
Primary CWE
CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product
n8n / n8n
Sources
cve.org  ·  NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Affected products (3)
VendorProductPlatformVersions
n8n n8n 0 < 1.123.27, 1.123.27, 2.0.0-rc.0 < 2.13.3, 2.13.3 …
n8n n8n 0 < 2.14.1, 2.14.1
n8n n8n 0 < 2.13.3, 2.13.3
Weakness (CWE)
CWESourceDescription
CWE-79 cna Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (2)
ScoreSeverityVersionSourceVector
5.4 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.1 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
References (2)
Back to overview