Same Origin, Same Tricks: Bypassing n8n’s CSP Sandbox (CVE-2026-27578)

Checkmarx Zero disclosed CVE-2026-27578: a stored XSS in n8n’s “Respond to Webhook” node that bypasses the platform’s CSP sandbox by returning SVG content (image/svg+xml), enabling arbitrary JavaScript execution in authenticated users’ sessions and risking session hijacking and account takeover; affected versions are listed and fixes are available in n8n 2.10.1, 2.9.3, and 1.123.22 — administrators should upgrade immediately.