Skip to main content

Term Reference Tree EUVDEUVD-2026-31377

| CVE-2026-4093 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-05-21 mlhess@drupal.org GHSA-q6w2-7g3j-5vg3
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 22:42 vuln.today

DescriptionCVE.org

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.

Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered.

Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.

Exploit affects versions 7.x-1.x up to and including 7.x-1.11.

AnalysisAI

Stored cross-site scripting in the Drupal 7 Term Reference Tree module (versions 7.x-1.x through 7.x-1.11) exposes two distinct injection vectors in its widget and formatter rendering pipeline, both exploitable by any authenticated user with taxonomy term edit permissions. Vector A triggers when the Token module is enabled and token display templates are configured, allowing attacker-controlled term description output to render unsanitized. Vector B targets the widget itself, where taxonomy term labels are written to form output without sanitization, executing injected scripts in the browsers of users who view any form containing the widget. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low privilege bar and persistent nature of stored XSS make this a meaningful risk in multi-user Drupal 7 deployments.

Technical ContextAI

The Term Reference Tree module (Drupal project page, 7.x-1.x branch) provides a hierarchical tree widget for referencing taxonomy terms in Drupal 7 content. It relies on Drupal's Form API and Taxonomy API for rendering term labels inside widgets, and optionally integrates with the Token module to allow customizable display templates using token substitution. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), manifesting in two places: (1) token-substituted values from term descriptions passed into template output without HTML encoding, and (2) raw taxonomy term label strings rendered into widget markup without escaping. Because Drupal 7's taxonomy system allows any user with the 'edit terms' or 'administer taxonomy' permission to modify term names and descriptions, the trust boundary is breached - contributor-level principals can inject persistent payloads that execute in administrative or editor contexts. Drupal 7 itself reached end-of-life on January 5, 2025; ongoing patches for this module are expected only through commercial LTS providers such as Tag1 (d7es) and HeroDevs.

RemediationAI

The primary remediation is to upgrade the Term Reference Tree module to a version beyond 7.x-1.11 that includes output sanitization fixes; consult the Tag1 d7es advisory at https://d7es.tag1.com/security-advisories/taxonomy-term-reference-tree-widget-moderately-critical-cross-site-scripting or the HeroDevs advisory at https://www.herodevs.com/vulnerability-directory/cve-2026-4093 for the exact patched release, as no specific fix version was identified in the available data. If a patched module version is not immediately available or cannot be deployed, the following compensating controls should be applied in order of preference: restrict the 'edit terms' and 'administer taxonomy' Drupal permissions to fully trusted administrative roles only, eliminating the low-privilege attack path; if Vector A is the primary concern, disable the Token module integration or remove token display template configurations for Term Reference Tree fields, which eliminates that specific rendering path while preserving basic widget functionality; apply Drupal's built-in text format restrictions to taxonomy term description fields to strip HTML on save, reducing the persistence window for injected payloads. Note that restricting permissions may break contributor workflows that rely on taxonomy management. Given that Drupal 7 is end-of-life, organizations should also evaluate migration to Drupal 10/11 as a long-term remediation path.

Share

EUVD-2026-31377 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy