Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Stored XSS submitted over the network by a low-privilege authenticated user; victim must render the page (UI:R); scope changes to victim browser context with limited confidentiality and integrity impact and no availability impact.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Stored XSS. This issue affects Tagify versions: from 0.0.0 to 1.2.52.
AnalysisAI
Stored cross-site scripting in the Drupal Tagify contributed module allows low-privileged authenticated users to inject persistent malicious scripts that execute in the browsers of subsequent page visitors, including administrators. All Tagify module versions prior to 1.2.52 are affected. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated user account holding a Drupal role with permission to create or edit content that uses a Tagify-widget field (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.4 Medium score is consistent with a network-reachable (AV:N), low-complexity (AC:L) stored XSS requiring low privilege to submit (PR:L) and user interaction from a victim (UI:R), with Changed scope (S:C) and limited confidentiality and integrity impact (C:L/I:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user with a low-privilege role - such as a registered site member or content contributor - submits a crafted JavaScript payload embedded in a Tagify tag field on a content creation or editing form. The payload is persisted to the Drupal database. … |
| Remediation | Upgrade the Drupal Tagify module to version 1.2.52 or later, which contains the vendor-released patch per the security advisory at https://www.drupal.org/sa-contrib-2026-043. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
This affects the package @yaireo/tagify before 4.9.8. Rated medium severity (CVSS 5.4), this vulnerability is remotely e
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allo
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43049
GHSA-92rg-hv8v-hrc3