What the vulnerability does
01Description
In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.
Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered.
Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.
Exploit affects versions 7.x-1.x up to and including 7.x-1.11.
Explanation of Vulnerability in Simple Terms
02Summary
The Term Reference Tree module for Drupal contains a cross-site scripting (XSS) vulnerability in versions 7.x-1.0 through 7.x-1.11. An attacker with low-level site access can inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction to trigger.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that run in other users' browsers to steal session tokens or perform actions on their behalf.
Potential impact on your site
04Site Impact
Authenticated attackers can compromise other users' accounts or sessions through script injection on your site.
Conditions required to exploit
05Prerequisites
Attacker needs low-level site access (e.g., authenticated user account) and the victim must visit a page containing the injected payload.
Key dates
06Disclosure timeline
May 21, 2026
CVE published
May 22, 2026
Record updated