CVE-2026-4929

The Simple Hierarchical Select (SHS) module for Drupal 7 provides hierarchical select widgets for taxonomy term reference fields, allowing users to navigate nested term vocabularies via cascading select lists. A cross-site scripting (XSS) vulnerability exists because the module fails to properly escape term-derived text when rendering output in two contexts: the field formatter (shs_field_formatter_view) and the term-tree child-term data generation (shs_term_get_children) [1][2]. This allows maliciously crafted taxonomy term names to be rendered unsafely, potentially executing arbitrary HTML or JavaScript in a user's browser.

To exploit this vulnerability, an attacker must have administrative or content manager privileges to create or edit taxonomy terms with malicious payloads in the term name field. The attack surface is limited to sites using the SHS field formatter in unlinked display mode, or sites that cache term data for JavaScript components [2]. When a user views a page displaying such a term (e.g., in a field or through the hierarchical select widget), the unsanitized payload is rendered, leading to XSS [1].

A successful XSS attack could lead to session hijacking, data theft, malware distribution, defacement, or privilege escalation within the affected Drupal 7 site [1]. The vulnerability affects SHS versions from 7.x-1.0 up to and including 7.x-1.10 (as described in the official CVE description) and is confirmed in versions up to 7.1.11 by reference material [1][2].

The vulnerability is fixed in Simple Hierarchical Select version 7.x-1.12 (or later) for Drupal 7 [2]. Users running the SHS module on Drupal 7 should upgrade to this version immediately. The Tag1 D7ES security advisory notes that the issue is of moderately critical severity and requires administrative permissions to create malicious terms, which somewhat mitigates the risk [2].