CVE-2026-4093
Stored XSS in Drupal Term Reference Tree Module
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: Drupal.org
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| drupal | term_reference_tree | to 7.x-1.11 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Drupal 7 Term Reference Tree module and involves two stored Cross-Site Scripting (XSS) vectors in the widget/formatter rendering pipeline.
- Vector A occurs when the Token module is enabled and token display templates are configured. Attacker-controlled token output, such as a term description, is rendered without proper sanitization, allowing users who can edit taxonomy terms to inject malicious HTML or JavaScript that executes when the field is displayed.
- Vector B involves taxonomy term labels that are not properly sanitized before rendering in the widget. A user with permission to create or edit taxonomy terms can inject scripts into the term name, which execute when a form containing the widget is viewed.
This affects versions 7.x-1.x up to and including 7.x-1.11 of the module.
How can this vulnerability impact me? :
This vulnerability can allow attackers who have permission to edit taxonomy terms to inject malicious scripts that execute in the browsers of users viewing the affected fields or forms.
The impact includes potential theft of user credentials, session hijacking, defacement, or other malicious actions performed via the injected scripts.
Because the vulnerability requires at least limited permissions (to edit taxonomy terms), the risk depends on the access control policies in place.