CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-56354: n8n before 1.123.24, 2.10.4, and 2.12.0 (across its 1.x and 2.x branches) contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML d

mediumCVSS 4.1CVE-2026-56354
n8n before 1.123.24, 2.10.4, and 2.12.0 (across its 1.x and 2.x branches) contains cross-site scripting and open redirect vulnerabilities in the Form Node due to unsanitized HTML description fields and overly permissive iframe sandbox policies. Authenticated users with workflow creation permissions can inject malicious scripts or redirect parameters to perform stored XSS attacks or phishing redirects against end users.

Details

Source
NVD Recent CVEs (US · database · site)
Severity
medium — CVSS 4.1
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-56354

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-56354coverage & exploitation statusNVD · CVE.org

Recent advisories for n8n

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from NVD Recent CVEs