CVE-2026-4093

Source
https://cve.org/CVERecord?id=CVE-2026-4093
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4093.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-4093
Published
2026-05-21T21:50:42.339Z
Modified
2026-07-15T01:48:59.922032726Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)
Details

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.

Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered.

Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.

Exploit affects versions 7.x-1.x up to and including 7.x-1.11.

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4093.json",
    "cna_assigner": "drupal"
}
References

Affected packages

Git / git.drupalcode.org/project/term_reference_tree

Affected ranges

Type
GIT
Repo
https://git.drupalcode.org/project/term_reference_tree
Events
Introduced
858622997241cf04dddf9f0dd130cd48f9e9fd37
Last affected
98f658b9d8c4e4585c8fa98cf81aad6bf990f7b4
Database specific
{
    "extracted_events": [
        {
            "introduced": "7.x-1.x"
        },
        {
            "last_affected": "7.x-1.11"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

7.*
7.x-1.0
7.x-1.0-beta4
7.x-1.10
7.x-1.11
7.x-1.2
7.x-1.3
7.x-1.4
7.x-1.5
7.x-1.7
7.x-1.8
7.x-1.9
7.x-1.9-beta1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4093.json"