CVE-2026-4093: Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)

Q: What is the severity of CVE-2026-4093?

CVE-2026-4093 has a medium severity rating of 5.1 on the CVSS scale.

Q: What types of attacks are possible with CVE-2026-4093?

CVE-2026-4093 allows for stored cross-site scripting (XSS) attacks via attacker-controlled token output.

Q: How do I fix CVE-2026-4093?

To fix CVE-2026-4093, update the Drupal Term Reference Tree module to the latest version that addresses the vulnerability.

Q: Which module is affected by CVE-2026-4093?

CVE-2026-4093 affects the Term Reference Tree module in Drupal 7.

Q: When was CVE-2026-4093 published?

CVE-2026-4093 was published on May 21, 2026.

Published May 21, 2026

Updated

In the Drupal 7 Term Reference Tree module, two stored XSS vectors exist in the widget/formatter rendering pipeline. Vector A (token display templates): When the Token module is enabled and token display templates are configured, attacker-controlled token output (e.g., term description) is rendered without proper sanitization. Any user who can edit the referenced taxonomy terms can inject HTML/JS that executes when the field is rendered. Vector B (term label rendering): Taxonomy term labels are not properly sanitized before being rendered in the widget, allowing a user with permission to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed. Exploit affects versions 7.x-1.x up to and including 7.x-1.11.

Affected Software

2 affected components

Drupal Term Reference Tree<=7.x-1.11

Taxonomy Term Reference Tree Widget Project Taxonomy Term Reference Tree Widget Drupal>=7.x-1.0<7.x-1.12

Event History

May 21, 2026

CVE Published

via MITRE·09:50 PM

Data Sourced

via MITRE·09:50 PM

DescriptionWeakness

Data Sourced

via NVD·10:16 PM

DescriptionSeverityWeaknessAffected Software

Frequently Asked Questions

What is the severity of CVE-2026-4093?

CVE-2026-4093 has a medium severity rating of 5.1 on the CVSS scale.

What types of attacks are possible with CVE-2026-4093?

CVE-2026-4093 allows for stored cross-site scripting (XSS) attacks via attacker-controlled token output.

How do I fix CVE-2026-4093?

To fix CVE-2026-4093, update the Drupal Term Reference Tree module to the latest version that addresses the vulnerability.

Which module is affected by CVE-2026-4093?

CVE-2026-4093 affects the Term Reference Tree module in Drupal 7.

When was CVE-2026-4093 published?

CVE-2026-4093 was published on May 21, 2026.

CVSS Score

5.1Medium

Medium Severity

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Security Metrics

Risk Score34

Severitymedium(5.1)

CWE

Timeline

PublishedMay 21, 2026

Updated

References

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.