XSS in n8n Workflows: Where It Sneaks In
n8n is great at moving data between systems fast. That also makes it great at moving attacker-controlled HTML and JavaScript straight into places you did not expect. If you build internal tools, approval flows, chat integrations, or webhook-driven automations with n8n, you are already handling untrusted input. The problem starts when that input gets rendered in a browser, embedded into HTML emails, dropped into dashboard widgets, or passed into a frontend without output encoding. ...