CVE-2026-4093

Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)

Assigner: drupal
Reserved: 12.03.2026 Published: 21.05.2026 Updated: 22.05.2026

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline.

Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered.

Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.

Exploit affects versions 7.x-1.x up to and including 7.x-1.11.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	Low
Attack Complexity	Low	Integrity	Low	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Drupal
Product	Term Reference Tree
Versions	Default: unaffected affected from 7.x-1.x to 7.x-1.11 (incl.)

Vendor

Drupal

Product

Term Reference Tree

Versions

Default: unaffected

affected from 7.x-1.x to 7.x-1.11 (incl.)

References

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

Impacts