Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.
AnalysisAI
Drupal Google Analytics GA4 module versions before 1.1.14 contain a cross-site scripting (XSS) vulnerability through improper input neutralization during web page generation, allowing attackers to inject and execute arbitrary JavaScript in user browsers. Remote attackers can craft malicious requests that persist within analytics data or configuration, affecting all users of sites running vulnerable versions. The vulnerability is documented in Drupal's security advisory SA-CONTRIB-2026-024 and has been assigned EUVD-2026-16383; no public exploit code or active exploitation has been confirmed at the time of this analysis.
Technical ContextAI
The vulnerability exists in the Drupal Google Analytics GA4 module (CPE: cpe:2.3:a:drupal:google_analytics_ga4), a contributed extension that integrates Google Analytics 4 tracking functionality into Drupal sites. The flaw is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the module fails to adequately sanitize or escape user-controlled input before rendering it in HTML/JavaScript contexts. This occurs in the process of generating web pages that contain GA4 tracking code or configuration, allowing attacker-supplied payloads to execute in the context of the affected web application and users' browsers. The module processes input-potentially from URL parameters, form fields, or GA4 configuration data-without sufficient validation or output encoding, enabling XSS injection.
RemediationAI
Upgrade the Drupal Google Analytics GA4 module to version 1.1.14 or later as specified in the vendor security advisory (https://www.drupal.org/sa-contrib-2026-024). Use Drupal's administrative interface (Manage > Extend > Update) or manually download and apply the patch from the module's project page. If immediate patching is not feasible, consider disabling the module temporarily until updates can be applied, or restrict site access using a reverse proxy with authentication to limit exposure to trusted users only. After patching, clear any cached analytics configuration and verify that no malicious scripts remain in stored GA4 parameters or tracking codes.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16383
GHSA-868m-2qw8-h5vx