Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.
Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered.
Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.
Exploit affects versions 7.x-1.x up to and including 7.x-1.11.
AnalysisAI
Stored cross-site scripting in the Drupal 7 Term Reference Tree module (versions 7.x-1.x through 7.x-1.11) exposes two distinct injection vectors in its widget and formatter rendering pipeline, both exploitable by any authenticated user with taxonomy term edit permissions. Vector A triggers when the Token module is enabled and token display templates are configured, allowing attacker-controlled term description output to render unsanitized. Vector B targets the widget itself, where taxonomy term labels are written to form output without sanitization, executing injected scripts in the browsers of users who view any form containing the widget. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low privilege bar and persistent nature of stored XSS make this a meaningful risk in multi-user Drupal 7 deployments.
Technical ContextAI
The Term Reference Tree module (Drupal project page, 7.x-1.x branch) provides a hierarchical tree widget for referencing taxonomy terms in Drupal 7 content. It relies on Drupal's Form API and Taxonomy API for rendering term labels inside widgets, and optionally integrates with the Token module to allow customizable display templates using token substitution. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), manifesting in two places: (1) token-substituted values from term descriptions passed into template output without HTML encoding, and (2) raw taxonomy term label strings rendered into widget markup without escaping. Because Drupal 7's taxonomy system allows any user with the 'edit terms' or 'administer taxonomy' permission to modify term names and descriptions, the trust boundary is breached - contributor-level principals can inject persistent payloads that execute in administrative or editor contexts. Drupal 7 itself reached end-of-life on January 5, 2025; ongoing patches for this module are expected only through commercial LTS providers such as Tag1 (d7es) and HeroDevs.
RemediationAI
The primary remediation is to upgrade the Term Reference Tree module to a version beyond 7.x-1.11 that includes output sanitization fixes; consult the Tag1 d7es advisory at https://d7es.tag1.com/security-advisories/taxonomy-term-reference-tree-widget-moderately-critical-cross-site-scripting or the HeroDevs advisory at https://www.herodevs.com/vulnerability-directory/cve-2026-4093 for the exact patched release, as no specific fix version was identified in the available data. If a patched module version is not immediately available or cannot be deployed, the following compensating controls should be applied in order of preference: restrict the 'edit terms' and 'administer taxonomy' Drupal permissions to fully trusted administrative roles only, eliminating the low-privilege attack path; if Vector A is the primary concern, disable the Token module integration or remove token display template configurations for Term Reference Tree fields, which eliminates that specific rendering path while preserving basic widget functionality; apply Drupal's built-in text format restrictions to taxonomy term description fields to strip HTML on save, reducing the persistence window for injected payloads. Note that restricting permissions may break contributor workflows that rely on taxonomy management. Given that Drupal 7 is end-of-life, organizations should also evaluate migration to Drupal 10/11 as a long-term remediation path.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31377
GHSA-q6w2-7g3j-5vg3