CVE-2026-4093

Name of the Vulnerable Software and Affected Versions Drupal 7 Term Reference Tree versions 7.x-1.x through 7.x-1.11

Description Two stored Cross-Site Scripting (XSS) vectors exist in the widget/formatter rendering pipeline. The first vector occurs when the Token module is enabled and token display templates are configured, causing attacker-controlled token output, such as term descriptions, to be rendered without proper sanitization. This allows users capable of editing referenced taxonomy terms to inject HTML or JavaScript. The second vector involves taxonomy term labels that are not properly sanitized before being rendered in the widget, enabling users with permissions to create or edit taxonomy terms to inject scripts into the term name that execute when a form containing the widget is viewed.

Recommendations Update Drupal 7 Term Reference Tree to a version later than 7.x-1.11.