Cross-Site Scripting Vulnerability in Google Analytics GA4 by Drupal
CVE-2026-3529

Currently unrated

Key Information:

Vendor: Drupal
Status: Google Analytics Ga4
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-3529?

A Cross-Site Scripting (XSS) vulnerability in Google Analytics GA4 affects Drupal, enabling attackers to inject malicious scripts into pages viewed by users. This vulnerability occurs due to inadequate input neutralization during web page generation, allowing harmful content to be executed within the browser context of unsuspecting users. The affected versions of Google Analytics GA4 span from 0.0.0 up to, but not including, version 1.1.14. It's crucial for users to update to the latest version to mitigate potential security risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Google Analytics GA4 0.0.0 < 1.1.14

References

https://www.drupal.org/sa-contrib-2026-024

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 4, 2026

Credit

Pierre Rudloff (prudloff)

Sujan Shrestha (sujan shrestha)

Greg Knaddison (greggles)

Juraj Nemec (poker10)

JSON

Drupal