CVE-2026-4093

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications.

Taxonomy Term Reference Tree Widget module provides an expandable tree widget for the Taxonomy Term Reference field, enabling hierarchical selection of terms.

A cross-site scripting issue in the Term Reference Tree widget allows malicious markup to be injected into the rendered term tree, potentially executing in a user’s browser when the widget is displayed. The weakness can be triggered through either token-based display templates or unescaped term labels, depending on widget configuration.

A cross-site scripting (XSS) vulnerability is a type of security flaw that allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:

• Session hijacking
• Data theft
• Malware distribution
• Defacement or phishing and
• Privilege escalation.

This issue affects Term Reference Tree Widget versions 7.0.0 up to and including 7.1.11.

‍

Details

Module Info

• Product: Drupal
• Affected code: Term Reference Tree Widget module
• Affected versions: >=7..1.0 <=7.1.11
• Project page: https://www.drupal.org/project/term_reference_tree
• Fixed in:  Term Reference Tree NES 7.1.12

Vulnerability Info

Token-display template XSS: When the widget uses token display templates (token_display_selected / token_display_unselected), token output is rendered without proper escaping. If a token resolves to attacker-controlled markup, it can execute in the browser.

Term label rendering XSS: In certain widget configurations (for example when the parent term is rendered as a label rather than a checkbox), the term label can be output without safe escaping. A malicious taxonomy term name can therefore trigger script execution when the widget renders the term tree.

These medium-severity vulnerabilities are found in the Term Reference Tree  module in versions greater than 7.0.0 and less than or equal to 7.1.11.

‍

Steps To Reproduce

For both vectors:

1. Create a Drupal 7  installation and install a Term Reference Tree Widget module version that is vulnerable to the exploit, such as 7.1.11.
2. Enable the module. 

Vector A: Token-display template XSS

1. Install and enable the Token module.
2. Create a vocabulary named “Example” (Structure -> Taxonomy -> Add vocabulary) and add at least one term.
3. For the term, set the description format to Full HTML and enter an malicious payload such as <img src=x onerror=alert(1)>.
4. Create a Basic Page node (node/add/page) and add a Term Reference field (“A Reference”).
5. Set the field widget to “Term reference tree,” save, and keep the field settings as “Tags.”
6. Configure the field display formatter (Manage display, not the widget settings):
   
   1. Go to admin/structure/types/manage/page/display.
   2. Set the formatter to “Term reference tree,” and save.
7. Programmatically set the formatter settings (since there is no UI in this version). For example, run this drush php‑eval code to update the field instance display settings:

drush php-eval '$instance = field_info_instance("node","field_a_reference","page"); $instance["display"]["default"]["type"] = "term_reference_tree";$instance["display"]["default"]["settings"]["token_display_selected"] = "[term:description]"; $instance["display"]["default"]["settings"]["token_display_unselected"] =  ""; field_update_instance($instance);'

8. Open the node view page (not the edit form) that renders the field.
9. The token output renders within the formatter output, and the injected markup executes (alert fires).

Vector B: Term label rendering XSS

1. Setup a vocabulary named "Example" with a parent and child (Structure -> Taxonomy -> Add vocabulary).
2. Create at least 2 terms (admin/structure/taxonomy/example/add). The Parent term, called "Parent," and a child term under the parent, "Child." After creating Child, use admin/structure/taxonomy/example to move Child beneath Parent.
3. Go to Structure -> Content types -> Basic Page -> Manage fields.
4. Add a field named "A Reference" of type "Term reference." Set the widget to "Term reference tree." Click Save. Set the Field Settings as "Tags." Click Save.
5. Edit the widget settings for Term reference tree (admin/structure/types/manage/page/fields/field_a_reference). Enable “Leaves only” so the parent becomes a label (rather than a checkbox). 
6. Inject payload into the parent term label at taxonomy/term/1/edit:

<script>alert(1)</script>

7. Trigger rendering by creating a Basic Page node (node/add/page).
8. The parent term label renders and a dialog box appears.

‍

Addressing the Issues

Users of the affected components should apply one of the following:

• Disable the Tree Reference Term Widget module.
• Install the Security Kit module and set a policy that forbids running inline scripts; be careful as this can break a site.
• Disable or clear token display templates for the widget until patched; ensure token output is escaped (check_plain) before rendering.
• Add a validation hook (hook_taxonomy_term_validate would work) that ensures only clean values get into the term; note that there are other ways to get values into the field that bypass the validate hook.
• Ensure only trusted roles have access to editing taxonomy terms.
• Use a web-application firewall (WAF) that strips out malicious strings.

• Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

‍

Credits

Ra Mänd (ram4nd)