CVE-2026-4929 PUBLISHED

Simple Hierarchical Select (Drupal 7) XSS in term-derived output

Assigner: drupal
Reserved: 26.03.2026 Published: 21.05.2026 Updated: 22.05.2026

Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
CVSS Score: 5.1

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	Low
Attack Complexity	Low	Integrity	Low	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	Passive

CVSS 4.0

Product Status

Vendor	Drupal
Product	Simple Hierarchical Select (shs)
Versions	Default: unknown affected from 7.x-1.0 to 7.x-1.11 (excl.)

CVE-2026-4929 PUBLISHED

Simple Hierarchical Select (Drupal 7) XSS in term-derived output

Metrics

Product Status

Credits

References

Problem Types