Cross-site scripting in n8n - #VU137162
Published: July 8, 2026
n8n
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser.
The vulnerability exists due to improper input validation in the Resource Locator component when opening workflow-persisted external links. A remote user can create a crafted workflow with a malicious cachedResultUrl value to execute arbitrary JavaScript in the victim's browser.
User interaction is required to open the crafted workflow and interact with external links.