Cross-Site Scripting Vulnerability in Drupal Tagify Plugin
CVE-2026-11908

Currently unrated

Key Information:

Vendor

Drupal

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-11908?

The vulnerability in the Drupal Tagify plugin allows for the improper neutralization of input during web page generation. This leads to a Stored Cross-Site Scripting (XSS) risk, where an attacker can inject malicious scripts into web applications viewed by other users. The flaw resides in Tagify versions ranging from 0.0.0 to 1.2.52, making it essential for users to keep their installations updated to mitigate this issue.

Affected Version(s)

Tagify 0.0.0 < 1.2.52

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pierre Rudloff (prudloff)
David Galeano (gxleano)
Greg Knaddison (greggles)
Dave Long (longwave)
Pierre Rudloff (prudloff)
.