Cross-Site Scripting Vulnerability in Drupal 7 Term Reference Tree Module
CVE-2026-4093

5.1MEDIUM

Key Information:

Vendor: Drupal
Status: Term Reference Tree
Vendor: CVE Published:; 21 May 2026

What is CVE-2026-4093?

The Drupal 7 Term Reference Tree module is susceptible to two distinct cross-site scripting (XSS) vulnerabilities within its rendering pipeline. First, if the Token module is active, attacker-controlled token outputs can be rendered unsanitized, permitting users with editing access to inject malicious HTML or JavaScript. Secondly, taxonomy term labels are also inadequately sanitized, allowing users with the appropriate permissions to manipulate term names with potentially harmful scripts that execute when the widget is viewed. These vulnerabilities present a significant risk to applications utilizing these module versions, emphasizing the need for immediate inspection and patching of affected systems.

Affected Version(s)

Term Reference Tree 7.x-1.x <= 7.x-1.11

References

https://www.herodevs.com/vulnerability-directory/cve-2026...

third-party-advisory

https://d7es.tag1.com/security-advisories/taxonomy-term-r...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
Mar 12, 2026

CVE-2026-4093 Data

JSON