CVE-2025-13983

CVE-2025-13983: Tagify - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-121

Vendor Drupal
Product Tagify
Weakness CWE-79 · XSS
Published January 28, 2026
Last update January 29, 2026

CVSS base score

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.44.

Explanation of Vulnerability in Simple Terms

02Summary

The Tagify Drupal module contains a cross-site scripting (XSS) vulnerability in versions before 1.2.44. An attacker can inject malicious scripts that execute in the browsers of site visitors or administrators. The vulnerability exists in how the module processes user input without proper sanitization. Update to version 1.2.44 or later to resolve this issue.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that run in visitors' browsers to steal credentials or deface content.

Potential impact on your site

04Site Impact

Visitors or admins viewing affected content could have their sessions hijacked or see malicious content.

Conditions required to exploit

05Prerequisites

Ability to submit input to a Tagify field; may require user interaction or specific permissions.

Key dates

06Disclosure timeline

January 28, 2026 CVE published
January 29, 2026 Record updated