{"cve":{"cve_id":"CVE-2026-56358","is_kev":false,"kev_date_added":null,"kev_vendor_project":null,"kev_product":null,"kev_vulnerability_name":null,"kev_short_description":null,"kev_required_action":null,"kev_due_date":null,"kev_known_ransomware":null,"kev_notes":null,"kev_cwes":null,"epss_score":null,"epss_percentile":null,"epss_as_of":null,"description":"n8n before 1.123.25 (1.x) and before 2.11.2 (2.x), with the fix also included in 2.12.0, contains a stored cross-site scripting vulnerability in the Form Trigger node's CSS sanitization that allows authenticated users to inject malicious scripts. Attackers with workflow creation permissions can inject XSS payloads that execute persistently for all form visitors, enabling form hijacking and phishing attacks.","published_at":"2026-06-24T11:53:19.735000Z","last_modified_at":null,"cvss_v3_score":5.4,"cvss_v3_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","cvss_v3_severity":"MEDIUM","cvss_v4_score":5.1,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N","cvss_v4_severity":"MEDIUM","ssvc_decision":null,"ssvc_exploitation":null,"ssvc_automatable":null,"ssvc_technical_impact":null,"cwes":["CWE-79"],"nvd_references":["https://github.com/n8n-io/n8n/security/advisories/GHSA-q4fm-pjq6-m63g","https://www.vulncheck.com/advisories/n8n-stored-cross-site-scripting-in-form-trigger-node"],"vuln_status":null,"trending_score":null,"is_trending":false,"has_trended":false,"trended_number_one":false,"trending_peak_score":null,"trending_peak_rank":null,"started_trending_at":null,"trended_number_one_at":null,"summary_generated":null,"summary_generated_at":null,"summary_model":null,"created_at":"2026-06-28T17:55:42.709123Z","updated_at":"2026-06-28T23:30:57.197036Z"},"effective_severity":"MEDIUM","badges":[],"impact_analysis":[],"cvss_v3_decoded":{"version":"3.1","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"R","value_label":"Required"},{"metric":"S","name":"Scope","value":"C","value_label":"Changed"},{"metric":"C","name":"Confidentiality","value":"L","value_label":"Low"},{"metric":"I","name":"Integrity","value":"L","value_label":"Low"},{"metric":"A","name":"Availability","value":"N","value_label":"None"}]},"cvss_v4_decoded":{"version":"4.0","metrics":[{"metric":"AV","name":"Attack Vector","value":"N","value_label":"Network"},{"metric":"AC","name":"Attack Complexity","value":"L","value_label":"Low"},{"metric":"AT","name":"Attack Requirements","value":"N","value_label":"None"},{"metric":"PR","name":"Privileges Required","value":"L","value_label":"Low"},{"metric":"UI","name":"User Interaction","value":"P","value_label":"Passive"},{"metric":"VC","name":"Confidentiality (Vulnerable System)","value":"L","value_label":"Low"},{"metric":"VI","name":"Integrity (Vulnerable System)","value":"L","value_label":"Low"},{"metric":"VA","name":"Availability (Vulnerable System)","value":"N","value_label":"None"},{"metric":"SC","name":"Confidentiality (Subsequent System)","value":"L","value_label":"Low"},{"metric":"SI","name":"Integrity (Subsequent System)","value":"L","value_label":"Low"},{"metric":"SA","name":"Availability (Subsequent System)","value":"N","value_label":"None"}]},"affected":[{"vendor_slug":"n8n","vendor_name":"n8n","product_slug":"n8n","product_name":"n8n","version_start":"0","version_start_inclusive":true,"version_end":"1.123.25","version_end_inclusive":false,"cpe23_uri":"cve5:n8n:n8n:0:1.123.25"},{"vendor_slug":"n8n","vendor_name":"n8n","product_slug":"n8n","product_name":"n8n","version_start":"1.123.25","version_start_inclusive":true,"version_end":"1.123.25","version_end_inclusive":true,"cpe23_uri":"cve5:n8n:n8n:1.123.25:1.123.25"},{"vendor_slug":"n8n","vendor_name":"n8n","product_slug":"n8n","product_name":"n8n","version_start":"2.0.0-rc.0","version_start_inclusive":true,"version_end":"2.11.2","version_end_inclusive":false,"cpe23_uri":"cve5:n8n:n8n:2.0.0-rc.0:2.11.2"},{"vendor_slug":"n8n","vendor_name":"n8n","product_slug":"n8n","product_name":"n8n","version_start":"2.11.2","version_start_inclusive":true,"version_end":"2.11.2","version_end_inclusive":true,"cpe23_uri":"cve5:n8n:n8n:2.11.2:2.11.2"},{"vendor_slug":"n8n","vendor_name":"n8n","product_slug":"n8n","product_name":"n8n","version_start":"0","version_start_inclusive":true,"version_end":"2.11.2","version_end_inclusive":false,"cpe23_uri":"cve5:n8n:n8n:0:2.11.2"}],"exploit_refs":[],"news":[],"references":[{"url":"https://github.com/n8n-io/n8n/security/advisories/GHSA-q4fm-pjq6-m63g","source_type":"VENDOR_ADVISORY","tags":["advisory"]},{"url":"https://www.vulncheck.com/advisories/n8n-stored-cross-site-scripting-in-form-trigger-node","source_type":"VENDOR_ADVISORY","tags":["advisory"]}],"timeline":[{"type":"published","at":"2026-06-24T11:53:19.735000Z","label":"CVE published","source":null}]}