{"data":{"id":"37c84990-cd2c-48ea-ae49-1a4a68aa2124","title":"GHSA-h86q-fx34-gfjr: n8n: Reflected XSS via Facebook, WhatsApp, and Microsoft Teams Trigger Webhook Verification Endpoints","summary":"n8n, a workflow automation tool, has a reflected XSS vulnerability (a type of attack where malicious code is injected into a webpage and executed in a user's browser) in its Facebook, WhatsApp, and Microsoft Teams trigger endpoints. When a logged-in user visits a specially crafted URL, an unsanitized query parameter gets reflected back in the response, allowing an attacker to run arbitrary code in the user's browser within n8n's origin.","solution":"The issue has been fixed in n8n version 2.24.0. Users should upgrade to this version or later. If upgrading is not immediately possible, administrators can temporarily: (1) limit workflow creation and activation permissions to fully trusted users only, or (2) disable the affected nodes by adding `n8n-nodes-base.facebookTrigger`, `n8n-nodes-base.whatsAppTrigger`, `n8n-nodes-base.facebookLeadAdsTrigger`, and `n8n-nodes-base.microsoftTeamsTrigger` to the `NODES_EXCLUDE` environment variable. The source notes these workarounds do not fully remediate the risk and should only be used as short-term measures.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-h86q-fx34-gfjr","publishedAt":"2026-06-16T22:39:16.000Z","cveId":"CVE-2026-54303","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":["n8n@< 2.24.0 (fixed: 2.24.0)"],"affectedVendors":[],"affectedVendorsRaw":["n8n"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-06-16T22:39:16.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity"],"aiComponentTargeted":"agent","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}