CVE-2026-4093

Vulnerability

Overview

CVE-2026-4093 identifies two stored cross-site scripting (XSS) vulnerabilities in the Drupal 7 Term Reference Tree module (versions 7.x-1.x up to and including 7.x-1.11). The first vector occurs when the Token module is enabled: if token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization, allowing HTML/JS injection. The second vector stems from taxonomy term labels not being properly escaped before being rendered in the widget, enabling an attacker with term creation or editing permissions to inject malicious scripts into the term name [1][2].

Attack

Vector and Prerequisites

Both attack vectors require the user to have administrative-level permissions—specifically the ability to create or edit taxonomy terms—to inject malicious content. For the token-based vector, the Token module must be enabled and the widget configured to use token display templates. The XSS is triggered when a victim views a page containing the vulnerable widget or form, executing the injected script in their browser [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, data theft, defacement, phishing attacks, or privilege escalation. Since the vulnerability is stored, any user visiting the affected page is at risk [1].

Mitigation

The vendor has released a fix in Term Reference Tree 7.x-1.12. Users are strongly advised to upgrade immediately. No workaround is provided for unpatched versions. The vulnerability is not currently listed in the Known Exploited Vulnerabilities Catalog [2].