CVE-2026-4093— Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)
Possible ATT&CK Techniques 2AI
T1189 · Drive-by Compromise T1059 · Command and Scripting InterpreterAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Drupal | Term Reference Tree | 7.x-1.x≤ 7.x-1.11 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-4093
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Drupal 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Drupal是Drupal社区的一套使用PHP语言开发的开源内容管理系统。 Drupal 7.x-1.11及之前的7.x-1.x版本存在跨站脚本漏洞,该漏洞源于Term Reference Tree中小部件/格式化程序渲染管道中存在两个存储型跨站脚本向量,可能导致攻击者注入HTML/JS。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Drupal | Term Reference Tree | 7.x-1.x ~ 7.x-1.11 | - |
II. Public POCs for CVE-2026-4093
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-4093
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-4093 (1)
Other References for CVE-2026-4093 (1)
IV. Related Vulnerabilities
Same vendor: Drupal
- CVE-2026-4929
Simple Hierarchical Select (Drupal 7) XSS in term-derived ou - CVE-2026-9082
Drupal core - Highly critical - SQL injection - SA-CORE-2026 - CVE-2026-8495
Date iCal - Critical - Information disclosure - SA-CONTRIB-2 - CVE-2026-8493
Colorbox Inline - Moderately critical - Cross-site scripting - CVE-2026-8492
Translate Drupal with GTranslate - Less critical - DOM clobb
Same weakness: CWE-79
- CVE-2026-46426
Budibase: Unrestricted Upload of File with Dangerous Type - CVE-2026-48149
Budibase: Stored XSS in Text component: BASIC users execute - CVE-2026-49044
WordPress Advanced Custom Fields: Font Awesome Field plugin - CVE-2026-49102
Webmin <2.640 XSS漏洞 - CVE-2026-47119
Agent Zero < 1.15 Stored XSS via image_get API Endpoint
V. Comments for CVE-2026-4093
No comments yet