Skip to main content

Taxonomy Term Reference Tree Widget

1 CVEs product

Monthly

CVE-2026-4093 MEDIUM This Month

Stored cross-site scripting in the Drupal 7 Term Reference Tree module (versions 7.x-1.x through 7.x-1.11) exposes two distinct injection vectors in its widget and formatter rendering pipeline, both exploitable by any authenticated user with taxonomy term edit permissions. Vector A triggers when the Token module is enabled and token display templates are configured, allowing attacker-controlled term description output to render unsanitized. Vector B targets the widget itself, where taxonomy term labels are written to form output without sanitization, executing injected scripts in the browsers of users who view any form containing the widget. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low privilege bar and persistent nature of stored XSS make this a meaningful risk in multi-user Drupal 7 deployments.

XSS Taxonomy Term Reference Tree Widget
NVD HeroDevs
CVSS 4.0
5.1
EPSS
0.0%
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting in the Drupal 7 Term Reference Tree module (versions 7.x-1.x through 7.x-1.11) exposes two distinct injection vectors in its widget and formatter rendering pipeline, both exploitable by any authenticated user with taxonomy term edit permissions. Vector A triggers when the Token module is enabled and token display templates are configured, allowing attacker-controlled term description output to render unsanitized. Vector B targets the widget itself, where taxonomy term labels are written to form output without sanitization, executing injected scripts in the browsers of users who view any form containing the widget. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low privilege bar and persistent nature of stored XSS make this a meaningful risk in multi-user Drupal 7 deployments.

XSS Taxonomy Term Reference Tree Widget
NVD HeroDevs

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy