CVE-2026-4093: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal Term Reference Tree
CVE-2026-4093 is a medium severity stored cross-site scripting (XSS) vulnerability in the Drupal 7 Term Reference Tree module versions up to 7. x-1. 11. It involves two XSS vectors: one through token display templates when the Token module is enabled, and another through unsanitized taxonomy term labels. Users with permission to create or edit taxonomy terms can inject malicious scripts that execute when the affected fields or forms are rendered. No official patch or remediation guidance is currently provided by the vendor.
AI Analysis
Technical Summary
This vulnerability affects the Drupal 7 Term Reference Tree module (7.x-1.x up to 7.x-1.11) and involves improper neutralization of input during web page generation (CWE-79). Specifically, two stored XSS vectors exist: (1) attacker-controlled token output in token display templates is rendered without proper sanitization if the Token module is enabled, allowing script injection via term descriptions; (2) taxonomy term labels are not sanitized before rendering in the widget, enabling script injection via term names. Exploitation requires permissions to create or edit taxonomy terms, and the malicious scripts execute when the relevant fields or forms are viewed.
Potential Impact
Successful exploitation allows an attacker with limited permissions (to create or edit taxonomy terms) to inject and execute arbitrary JavaScript in the context of users viewing the affected fields or forms. This can lead to session hijacking, defacement, or other client-side attacks. The vulnerability has a CVSS 4.0 base score of 5.1 (medium severity), reflecting network attack vector, low complexity, and limited privileges required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict permissions to create or edit taxonomy terms to trusted users only. Consider disabling the Token module or token display templates if not required, as this reduces exposure to one of the XSS vectors. Monitor Drupal security advisories for updates and apply official patches once released.
CVE-2026-4093: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Drupal Term Reference Tree
Description
CVE-2026-4093 is a medium severity stored cross-site scripting (XSS) vulnerability in the Drupal 7 Term Reference Tree module versions up to 7. x-1. 11. It involves two XSS vectors: one through token display templates when the Token module is enabled, and another through unsanitized taxonomy term labels. Users with permission to create or edit taxonomy terms can inject malicious scripts that execute when the affected fields or forms are rendered. No official patch or remediation guidance is currently provided by the vendor.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the Drupal 7 Term Reference Tree module (7.x-1.x up to 7.x-1.11) and involves improper neutralization of input during web page generation (CWE-79). Specifically, two stored XSS vectors exist: (1) attacker-controlled token output in token display templates is rendered without proper sanitization if the Token module is enabled, allowing script injection via term descriptions; (2) taxonomy term labels are not sanitized before rendering in the widget, enabling script injection via term names. Exploitation requires permissions to create or edit taxonomy terms, and the malicious scripts execute when the relevant fields or forms are viewed.
Potential Impact
Successful exploitation allows an attacker with limited permissions (to create or edit taxonomy terms) to inject and execute arbitrary JavaScript in the context of users viewing the affected fields or forms. This can lead to session hijacking, defacement, or other client-side attacks. The vulnerability has a CVSS 4.0 base score of 5.1 (medium severity), reflecting network attack vector, low complexity, and limited privileges required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict permissions to create or edit taxonomy terms to trusted users only. Consider disabling the Token module or token display templates if not required, as this reduces exposure to one of the XSS vectors. Monitor Drupal security advisories for updates and apply official patches once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- drupal
- Date Reserved
- 2026-03-12T22:40:32.279Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0f83d9e1370fbb48503dd9
Added to database: 5/21/2026, 10:14:49 PM
Last enriched: 5/21/2026, 10:29:49 PM
Last updated: 5/21/2026, 11:29:22 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.