CVE-2026-4093 MEDIUM

CVE-2026-4093: Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)

Vendor Drupal
Product Term Reference Tree
Weakness CWE-79 · XSS
Published May 21, 2026
Last update May 22, 2026

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11.

Explanation of Vulnerability in Simple Terms

02Summary

The Term Reference Tree module for Drupal contains a cross-site scripting (XSS) vulnerability in versions 7.x-1.0 through 7.x-1.11. An attacker with low-level site access can inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction to trigger.

What an attacker can do

03Attacker Capabilities

Inject malicious scripts that run in other users' browsers to steal session tokens or perform actions on their behalf.

Potential impact on your site

04Site Impact

Authenticated attackers can compromise other users' accounts or sessions through script injection on your site.

Conditions required to exploit

05Prerequisites

Attacker needs low-level site access (e.g., authenticated user account) and the victim must visit a page containing the injected payload.

Key dates

06Disclosure timeline

May 21, 2026 CVE published
May 22, 2026 Record updated

Related vulnerabilities

08Related CVE