Skip to main content

Drupal Tagify EUVDEUVD-2026-43049

| CVE-2026-11908 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 drupal GHSA-92rg-hv8v-hrc3
5.4
CVSS 3.1 · Vendor: drupal
Share

Severity by source

Vendor (drupal) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS submitted over the network by a low-privilege authenticated user; victim must render the page (UI:R); scope changes to victim browser context with limited confidentiality and integrity impact and no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (drupal).

CVSS VectorVendor: drupal

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jul 14, 2026 - 15:23 vuln.today
CVSS changed
Jul 14, 2026 - 15:22 NVD
5.4 (MEDIUM)
Patch available
Jul 10, 2026 - 23:02 EUVD
CVE Published
Jul 10, 2026 - 21:43 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Stored XSS. This issue affects Tagify versions: from 0.0.0 to 1.2.52.

AnalysisAI

Stored cross-site scripting in the Drupal Tagify contributed module allows low-privileged authenticated users to inject persistent malicious scripts that execute in the browsers of subsequent page visitors, including administrators. All Tagify module versions prior to 1.2.52 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege Drupal account
Delivery
Submit crafted XSS payload via Tagify tag input field
Exploit
Payload persisted to Drupal database
Execution
Victim navigates to page rendering poisoned tag content
Persist
Malicious script executes in victim browser session
Impact
Session token or credentials exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated user account holding a Drupal role with permission to create or edit content that uses a Tagify-widget field (PR:L per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.4 Medium score is consistent with a network-reachable (AV:N), low-complexity (AC:L) stored XSS requiring low privilege to submit (PR:L) and user interaction from a victim (UI:R), with Changed scope (S:C) and limited confidentiality and integrity impact (C:L/I:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with a low-privilege role - such as a registered site member or content contributor - submits a crafted JavaScript payload embedded in a Tagify tag field on a content creation or editing form. The payload is persisted to the Drupal database. …
Remediation Upgrade the Drupal Tagify module to version 1.2.52 or later, which contains the vendor-released patch per the security advisory at https://www.drupal.org/sa-contrib-2026-043. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43049 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy