DRUPAL-CONTRIB-2026-043

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tagify/DRUPAL-CONTRIB-2026-043.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-043

Aliases

CVE-2026-11908

Published

2026-06-10T17:07:12Z

Modified

2026-06-10T21:00:05.185038801Z

Summary

[none]

Details

This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets.

The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability that may allow attackers to execute arbitrary JavaScript in the context of the user’s session.

The vulnerability is mitigated by the fact an attacker must have a role with permission to create or edit taxonomy terms in a vocabulary.

References

https://www.drupal.org/sa-contrib-2026-043

Credits

- Pierre Rudloff (prudloff)
- - https://www.drupal.org/u/prudloff

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/tagify

Package

Name: drupal/tagify
Purl: pkg:composer/drupal%2Ftagify

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.2.52

Database specific

{
    "constraint": "<1.2.52"
}

Database specific

affected_versions

"<1.2.52"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tagify/DRUPAL-CONTRIB-2026-043.json"