CVE-2026-3529 PUBLISHED

Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024

Assigner: drupal
Reserved: 04.03.2026 Published: 26.03.2026 Updated: 26.03.2026

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.

Product Status

Vendor	Drupal
Product	Google Analytics GA4
Versions	Default: unaffected affected from 0.0.0 to 1.1.14 (excl.)

Credits

Pierre Rudloff (prudloff) finder
Sujan Shrestha (sujan shrestha) remediation developer
Greg Knaddison (greggles) coordinator
Juraj Nemec (poker10) coordinator

References

https://www.drupal.org/sa-contrib-2026-024

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)