Bug 2480655 (CVE-2026-4093) - CVE-2026-4093 drupal7: Drupal 7 Term Reference Tree: Stored Cross-Site Scripting allows script injection via term editing
Summary: CVE-2026-4093 drupal7: Drupal 7 Term Reference Tree: Stored Cross-Site Script...
Keywords:
Status: NEW
Alias: CVE-2026-4093
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2481427
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-05-21 23:01 UTC by OSIDB Bzimport
Modified: 2026-05-26 11:11 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-05-21 23:01:13 UTC
In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.

Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered.

Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.

Exploit affects versions 7.x-1.x up to and including 7.x-1.11.


Note You need to log in before you can comment on or make changes to this bug.