CVE-2026-4093
Analyzed Analyzed - Analysis Complete

Stored XSS in Drupal Term Reference Tree Module

Vulnerability report for CVE-2026-4093, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-21

Last updated on: 2026-06-01

Assigner: Drupal.org

Description

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-21
Last Modified
2026-06-01
Generated
2026-07-02
AI Q&A
2026-05-22
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
taxonomy_term_reference_tree_widget_project taxonomy_term_reference_tree_widget From 7.x-1.0 (inc) to 7.x-1.12 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Drupal 7 Term Reference Tree module and involves two stored Cross-Site Scripting (XSS) vectors in the widget/formatter rendering pipeline.

  • Vector A occurs when the Token module is enabled and token display templates are configured. Attacker-controlled token output, such as a term description, is rendered without proper sanitization, allowing users who can edit taxonomy terms to inject malicious HTML or JavaScript that executes when the field is displayed.
  • Vector B involves taxonomy term labels that are not properly sanitized before rendering in the widget. A user with permission to create or edit taxonomy terms can inject scripts into the term name, which execute when a form containing the widget is viewed.

This affects versions 7.x-1.x up to and including 7.x-1.11 of the module.

Impact Analysis

This vulnerability can allow attackers who have permission to edit taxonomy terms to inject malicious scripts that execute in the browsers of users viewing the affected fields or forms.

The impact includes potential theft of user credentials, session hijacking, defacement, or other malicious actions performed via the injected scripts.

Because the vulnerability requires at least limited permissions (to edit taxonomy terms), the risk depends on the access control policies in place.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4093. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart