Main Vulnerability Database Vulnerabilities #VU127208

Cross-site scripting in n8n - #VU127208

Published: April 23, 2026

Vulnerability identifier: #VU127208

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: n8n

Affected software:
n8n

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to cross-site scripting in the Form Trigger node's CSS sanitization when processing user-supplied form styling. A remote user can store a crafted XSS payload to execute arbitrary script in a victim's browser.

User interaction is required when a visitor opens the published form. The injected script executes persistently for every visitor of the published form and can hijack form submissions or present phishing content.

Remediation

Install security update from vendor's website.

Cross-site scripting in n8n - #VU127208

Detailed vulnerability description

Remediation

Sources

Please verify you're human