GHSA-q4fm-pjq6-m63g: n8n has a Stored XSS Vulnerability in its Form Trigger

March 27, 2026

An authenticated user with permission to create or modify workflows could exploit a flaw in the Form Trigger node’s CSS sanitization to store a cross-site scripting (XSS) payload. The injected script executes persistently for every visitor of the published form, enabling form submission hijacking and phishing. The existing Content Security Policy prevents direct n8n session cookie theft but does not prevent script execution or form action manipulation.

References

github.com/advisories/GHSA-q4fm-pjq6-m63g
github.com/n8n-io/n8n
github.com/n8n-io/n8n/security/advisories/GHSA-q4fm-pjq6-m63g

Code Behaviors & Features

Detect and mitigate GHSA-q4fm-pjq6-m63g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →