CVE-2026-56358 n8n - Stored Cross-Site Scripting in Form Trigger Node

The CVE affects n8n before 1.123.25 (1.x) and before 2.11.2 (2.x); a stored XSS exists in the Form Trigger node due to a CSS sanitization flaw. Authenticated users with workflow creation permissions can inject XSS payloads that persist for all form visitors, enabling form hijacking and phishing. ...