What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.
Explanation of Vulnerability in Simple Terms
02Summary
The Google Analytics GA4 module for Drupal contains a cross-site scripting (XSS) vulnerability in versions before 1.1.14. An attacker can inject malicious scripts that execute in the browsers of site visitors or administrators. The vulnerability exists in how the module processes or displays user-controlled input without proper sanitization.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in visitors' browsers, potentially stealing session tokens or redirecting users.
Potential impact on your site
04Site Impact
Visitors and admins may have their sessions hijacked or be redirected to malicious sites when viewing affected pages.
Conditions required to exploit
05Prerequisites
Ability to control input that the module displays (exact method unknown due to missing CVSS details).
Key dates
06Disclosure timeline
March 26, 2026
CVE published
March 27, 2026
Record updated