CVE-2026-3212

CVE-2026-3212: Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013

Vendor Drupal

Product Tagify

Weakness CWE-79 · XSS

Published March 25, 2026

Last update March 26, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.49.

Explanation of Vulnerability in Simple Terms

02Summary

The Tagify Drupal module contains a cross-site scripting (XSS) vulnerability in versions before 1.2.49. An attacker can inject malicious scripts that execute in the browsers of site visitors or administrators. The vulnerability exists in user-supplied input that is not properly sanitized before being displayed. Update to version 1.2.49 or later to fix this issue.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that run in visitors' browsers to steal credentials or deface content.

Potential impact on your site

04Site Impact

Visitors and admins could have their sessions hijacked, credentials stolen, or see malicious content injected into your site.

Conditions required to exploit

05Prerequisites

Ability to submit input to the vulnerable Tagify field; may require user interaction if the payload is reflected.

Key dates

06Disclosure timeline

March 25, 2026 CVE published

March 26, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-3212

Related vulnerabilities