CVE-2026-56358 | n8n before 1.123.25 (1.x) and before 2.11.2 (2.x), with the … | CVSS 5.4 MEDIUM

Description

n8n before 1.123.25 (1.x) and before 2.11.2 (2.x), with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger node's CSS sanitization that allows authenticated users to inject malicious scripts. Attackers with workflow creation permissions can inject XSS payloads that execute persistently for all form visitors, enabling form hijacking and phishing attacks.

Metadata

CVE ID: CVE-2026-56358
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 21:16 UTC
Published: 2026-06-24 11:53 UTC
Last updated: 2026-06-24 11:53 UTC
Primary CWE: CWE-79
Improper Neutralization of Input During Web Page Generation …
Vendor / Product: n8n / n8n
Sources: cve.org · NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Affected products (3)

Vendor	Product	Platform	Versions
n8n	n8n	—	0 < 1.123.25, 1.123.25, 2.0.0-rc.0 < 2.11.2, 2.11.2
n8n	n8n	—	0 < 2.11.2, 2.11.2
n8n	n8n	—	0 < 1.123.25, 1.123.25

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (2)

Score	Severity	Version	Source	Vector
5.4	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.1	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

References (2)

GitHub Security Advisory (GHSA-q4fm-pjq6-m63g) https://github.com/n8n-io/n8n/security/advisories/GHSA-q4fm-pjq6-m63g
VulnCheck Advisory: n8n - Stored Cross-Site Scripting in Form Trigger Node https://www.vulncheck.com/advisories/n8n-stored-cross-site-scripting-in-form-trigger-node