VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-fy3d-ykem-3fgr

Essentials
Severities (14)
References (7)
Severity details (13)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-fy3d-ykem-3fgr
Aliases	CVE-2025-52478 GHSA-hfmv-hhh3-43f2
Summary	n8n is a workflow automation platform. From 1.77.0 to before 1.98.2, a stored Cross-Site Scripting (XSS) vulnerability was identified in n8n, specifically in the Form Trigger node's HTML form element. An authenticated attacker can inject malicious HTML via an <iframe> with a srcdoc payload that includes arbitrary JavaScript execution. The attacker can also inject malicious Javascript by using <video> coupled <source> using an onerror event. While using iframe or a combination of video and source tag, this vulnerability allows for Account Takeover (ATO) by exfiltrating n8n-browserId and session cookies from authenticated users who visit a maliciously crafted form. Using these tokens and cookies, an attacker can impersonate the victim and change account details such as email addresses, enabling full control over the account—especially if 2FA is not enabled. Users should upgrade to version >= 1.98.2.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00032	https://api.first.org/data/v1/epss?cve=CVE-2025-52478
cvssv3.1	8.7	https://github.com/n8n-io/n8n
generic_textual	HIGH	https://github.com/n8n-io/n8n
cvssv3.1	8.7	https://github.com/n8n-io/n8n/commit/7940384a85041a1890b1203d69c092c887312500
generic_textual	HIGH	https://github.com/n8n-io/n8n/commit/7940384a85041a1890b1203d69c092c887312500
ssvc	Track	https://github.com/n8n-io/n8n/commit/7940384a85041a1890b1203d69c092c887312500
cvssv3.1	8.7	https://github.com/n8n-io/n8n/pull/16329
generic_textual	HIGH	https://github.com/n8n-io/n8n/pull/16329
ssvc	Track	https://github.com/n8n-io/n8n/pull/16329
cvssv3.1	8.7	https://github.com/n8n-io/n8n/security/advisories/GHSA-hfmv-hhh3-43f2
generic_textual	HIGH	https://github.com/n8n-io/n8n/security/advisories/GHSA-hfmv-hhh3-43f2
ssvc	Track	https://github.com/n8n-io/n8n/security/advisories/GHSA-hfmv-hhh3-43f2
cvssv3.1	8.7	https://nvd.nist.gov/vuln/detail/CVE-2025-52478
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-52478

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2025-52478
		https://github.com/n8n-io/n8n
		https://nvd.nist.gov/vuln/detail/CVE-2025-52478
16329		https://github.com/n8n-io/n8n/pull/16329
7940384a85041a1890b1203d69c092c887312500		https://github.com/n8n-io/n8n/commit/7940384a85041a1890b1203d69c092c887312500
GHSA-hfmv-hhh3-43f2		https://github.com/advisories/GHSA-hfmv-hhh3-43f2
GHSA-hfmv-hhh3-43f2		https://github.com/n8n-io/n8n/security/advisories/GHSA-hfmv-hhh3-43f2

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/n8n-io/n8n

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/n8n-io/n8n/commit/7940384a85041a1890b1203d69c092c887312500

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-19T19:18:07Z/ Found at https://github.com/n8n-io/n8n/commit/7940384a85041a1890b1203d69c092c887312500

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/n8n-io/n8n/pull/16329

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-19T19:18:07Z/ Found at https://github.com/n8n-io/n8n/pull/16329

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://github.com/n8n-io/n8n/security/advisories/GHSA-hfmv-hhh3-43f2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-08-19T19:18:07Z/ Found at https://github.com/n8n-io/n8n/security/advisories/GHSA-hfmv-hhh3-43f2

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2025-52478

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.09956
EPSS Score	0.00032
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T17:05:13.391006+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2025/52xxx/CVE-2025-52478.json	38.6.0