DRUPAL-CONTRIB-2026-024

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ga4_google_analytics/DRUPAL-CONTRIB-2026-024.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-024

Aliases

CVE-2026-3529

Published

2026-03-04T17:59:51Z

Modified

2026-03-05T19:01:18.496838Z

Summary

[none]

Details

The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes.

This vulnerability is mitigated by the fact that an attacker must have a role with the "ga4 configure" (or "administer google analytics ga4 settings") permission.

An attacker with this permission could inject malicious JavaScript via event handlers (such as onload) or override the script source, leading to a Cross-Site Scripting (XSS) attack on all pages where the GA4 script is loaded.

Note: this advisory initially suggested it was fixed in the 1.1.13 release, but the 1.1.13 releaes was missing the fix. Users of this module should switch to the 1.1.14 release.

References

https://www.drupal.org/sa-contrib-2026-024

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/ga4_google_analytics

Package

Name: drupal/ga4_google_analytics
Purl: pkg:composer/drupal/ga4_google_analytics

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.1.14

Database specific

{
    "constraint": "<1.1.14"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/ga4_google_analytics/DRUPAL-CONTRIB-2026-024.json"

affected_versions

"<1.1.14"