CVE-2026-4929

UNKNOWN 0.0

Simple Hierarchical Select (Drupal 7) XSS in term-derived output

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10.

Vendor	drupal
Product	simple hierarchical select (shs)
Ecosystems	PHP CMS
Industries	WebMedia
Published	May 21, 2026
Last Updated	May 22, 2026

Stay Ahead of the Next One

Get instant alerts for drupal simple hierarchical select (shs)

Be the first to know when new unknown vulnerabilities affecting drupal simple hierarchical select (shs) are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Drupal / Simple Hierarchical Select (shs)

7.x-1.0 < 7.x-1.11

References

NVD ↗ CVE.org ↗ EPSS Data ↗

herodevs.com: https://www.herodevs.com/vulnerability-directory/cve-2026-4929 d7es.tag1.com: https://d7es.tag1.com/security-advisories/simple-hierarchical-select-moderately-critical-cross-site-scripting herodevs.com: https://www.herodevs.com/vulnerability-directory/cve-2026-4929?nes-for-drupal-7

Credits

Reporter: Ra Mänd (ram4nd)