CVE-2026-4093

UNKNOWN 0.0

Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11.

CWE	CWE-79
Vendor	drupal
Product	term reference tree
Ecosystems	PHP CMS
Industries	WebMedia
Published	May 21, 2026
Last Updated	May 22, 2026

Stay Ahead of the Next One

Get instant alerts for drupal term reference tree

Be the first to know when new unknown vulnerabilities affecting drupal term reference tree are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Drupal / Term Reference Tree

7.x-1.x ≤ 7.x-1.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗

herodevs.com: https://www.herodevs.com/vulnerability-directory/cve-2026-4093 d7es.tag1.com: https://d7es.tag1.com/security-advisories/taxonomy-term-reference-tree-widget-moderately-critical-cross-site-scripting