CVE-2025-58177: n8n is an open source workflow automation platform. From 1.24.0 to before 1.107.0, there is a stored cross-site scriptin
Summary
n8n, an open source workflow automation platform, has a stored XSS vulnerability (cross-site scripting, where malicious code is saved and runs in users' browsers) in versions 1.24.0 through 1.106.x. An authorized user can inject harmful JavaScript into the initialMessages field of the LangChain Chat Trigger node, and if public access is enabled, this code runs in the browsers of anyone visiting the public chat link, potentially allowing attackers to steal cookies or sensitive data through phishing.
Solution / Mitigation
Update to version 1.107.0 or later. As a workaround, the affected chatTrigger node can be disabled.
Vulnerability Details
5.4(medium)
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
CVE-2025-45150: Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-58177
First tracked: February 15, 2026 at 08:35 PM
Classified by LLM (prompt v3) · confidence: 92%