CVE-2026-4093
Analyzed Analyzed - Analysis Complete
Stored XSS in Drupal Term Reference Tree Module

Publication date: 2026-05-21

Last updated on: 2026-06-01

Assigner: Drupal.org

Description
In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-06-01
Generated
2026-06-11
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-10
NVD
CVE-2026-4093
EUVD
EUVD-2026-31377
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
taxonomy_term_reference_tree_widget_project taxonomy_term_reference_tree_widget From 7.x-1.0 (inc) to 7.x-1.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Drupal 7 Term Reference Tree module and involves two stored Cross-Site Scripting (XSS) vectors in the widget/formatter rendering pipeline.

  • Vector A occurs when the Token module is enabled and token display templates are configured. Attacker-controlled token output, such as a term description, is rendered without proper sanitization, allowing users who can edit taxonomy terms to inject malicious HTML or JavaScript that executes when the field is displayed.
  • Vector B involves taxonomy term labels that are not properly sanitized before rendering in the widget. A user with permission to create or edit taxonomy terms can inject scripts into the term name, which execute when a form containing the widget is viewed.

This affects versions 7.x-1.x up to and including 7.x-1.11 of the module.

Impact Analysis

This vulnerability can allow attackers who have permission to edit taxonomy terms to inject malicious scripts that execute in the browsers of users viewing the affected fields or forms.

The impact includes potential theft of user credentials, session hijacking, defacement, or other malicious actions performed via the injected scripts.

Because the vulnerability requires at least limited permissions (to edit taxonomy terms), the risk depends on the access control policies in place.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4093. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart