CVE-2026-3212 PUBLISHED

Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013

Assigner: drupal
Reserved: 25.02.2026 Published: 25.03.2026 Updated: 25.03.2026

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.49.

Product Status

Vendor	Drupal
Product	Tagify
Versions	Default: unaffected affected from 0.0.0 to 1.2.49 (excl.)

Credits

David LÃ³pez (akalam) finder
Mingsong (mingsong) finder
David LÃ³pez (akalam) remediation developer
David Galeano (gxleano) remediation developer
Mingsong (mingsong) remediation developer
Damien McKenna (damienmckenna) coordinator
Dan Smith (galooph) coordinator
Greg Knaddison (greggles) coordinator
Drew Webber (mcdruid) coordinator
Jess (xjm) coordinator

References

https://www.drupal.org/sa-contrib-2026-013

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)