Cross-Site Scripting in Simple Hierarchical Select for Drupal 7 by Drupal
CVE-2026-4929

5.1MEDIUM

Key Information:

Vendor: Drupal
Status: Simple Hierarchical Select (shs)
Vendor: CVE Published:; 21 May 2026

What is CVE-2026-4929?

The Simple Hierarchical Select (SHS) module for Drupal 7 is susceptible to cross-site scripting due to improper output escaping of term-derived text. This vulnerability allows malicious users to exploit taxonomy term names, which can be rendered unsafely based on the output context. Affected paths include the field formatter output and the generation of child-term data. This vulnerability impacts all versions from 7.x-1.0 up to and including 7.x-1.10.

Affected Version(s)

Simple Hierarchical Select (shs) 7.x-1.0 < 7.x-1.11

References

https://www.herodevs.com/vulnerability-directory/cve-2026...

third-party-advisory

https://d7es.tag1.com/security-advisories/simple-hierarch...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 21, 2026
Vulnerability Reserved
Mar 26, 2026

Credit

Reporter: Ra Mänd (ram4nd)

CVE-2026-4929 Data

JSON