Cross-site scripting in n8n - #VU137168
Published: July 8, 2026
n8n
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary script in the victim's browser and access authenticated same-origin APIs.
The vulnerability exists due to cross-site scripting in the HTML preview iframe srcdoc handling when rendering execution output. A remote user can inject crafted content that bypasses sanitization to execute arbitrary script in the victim's browser and access authenticated same-origin APIs.
User interaction is required to open the preview, and the injected script runs same-origin as the editor.