CVE Catalog

CVE-2026-56358

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.14%

4th percentile — higher than 4% of all known CVEs

Summary

Stored XSS vulnerability in n8n before versions 1.123.25 (1.x) and 2.11.2 (2.x) (also fixed in 2.12.0) in the Form Trigger node's CSS sanitization allows authenticated users with workflow creation permissions to inject malicious scripts that execute persistently for all form visitors.

Risk Assessment

Attackers can hijack forms and conduct phishing attacks, leading to data theft or further compromise of users.

Recommendation

Immediately update n8n to version 1.123.25, 2.11.2, or 2.12.0. Restrict workflow creation permissions to trusted users only.

Original NVD description (English source)

n8n before 1.123.25 (1.x) and before 2.11.2 (2.x), with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger node's CSS sanitization that allows authenticated users to inject malicious scripts. Attackers with workflow creation permissions can inject XSS payloads that execute persistently for all form visitors, enabling form hijacking and phishing attacks.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS