DRUPAL-CONTRIB-2026-013

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tagify/DRUPAL-CONTRIB-2026-013.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-013

Aliases

CVE-2026-3212

Published

2026-02-25T18:45:13Z

Modified

2026-02-25T19:44:42.411114Z

Summary

[none]

Details

This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets.

The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content.

References

https://www.drupal.org/sa-contrib-2026-013

Credits

- David López (akalam)
- - https://www.drupal.org/u/akalam
- Mingsong (mingsong)
- - https://www.drupal.org/u/mingsong

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/tagify

Package

Name: drupal/tagify
Purl: pkg:composer/drupal/tagify

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.49

Database specific

{
    "constraint": "<1.2.49"
}

Database specific

affected_versions

"<1.2.49"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tagify/DRUPAL-CONTRIB-2026-013.json"