CVE-2026-3529

CVE-2026-3529: Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024

Vendor Drupal
Product Google Analytics GA4
Weakness CWE-79 · XSS
Published March 26, 2026
Last update March 27, 2026

CVSS base score

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.

Explanation of Vulnerability in Simple Terms

02Summary

The Google Analytics GA4 module for Drupal contains a cross-site scripting (XSS) vulnerability in versions before 1.1.14. An attacker can inject malicious scripts that execute in the browsers of site visitors or administrators. The vulnerability exists in how the module processes or displays user-controlled input without proper sanitization.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that runs in visitors' browsers, potentially stealing session tokens or redirecting users.

Potential impact on your site

04Site Impact

Visitors and admins may have their sessions hijacked or be redirected to malicious sites when viewing affected pages.

Conditions required to exploit

05Prerequisites

Ability to control input that the module displays (exact method unknown due to missing CVSS details).

Key dates

06Disclosure timeline

March 26, 2026 CVE published
March 27, 2026 Record updated

Related vulnerabilities

08Related CVE