View all Vulnerabilities

CVE-2026-4929

Cross-Site Scripting
Affects
SHS Module
in
Drupal 7
No items found.
Versions
>=7.1.0 <=7.1.11
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications.

The Simple Hierarchical Select module adds a taxonomy-term widget that lets users choose terms by browsing the vocabulary hierarchy. 

SHS contains a cross-site scripting (XSS) weakness that can allow malicious markup in term labels to be rendered in the term tree or field output, potentially executing in a user’s browser.

A cross-site scripting (XSS) vulnerability is a type of security flaw that allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:

  • Session hijacking
  • Data theft
  • Malware distribution
  • Defacement or phishing and
  • Privilege escalation.

This issue affects Simple Hierarchical Select versions 7.1.0 up to and including 7.1.11.

Details

Module Info

Vulnerability Info

There is one underlying issue: unescaped output of term-derived text.

In affected SHS versions, this appears in two confirmed paths:

  • Field formatter output (shs_field_formatter_view) where term names could be rendered without escaping.
  • Term-tree data output (shs_term_get_children) where term names could be returned without escaping.

This can expose malicious markup in rendered output and may lead to XSS when inserted into unsafe HTML contexts.

These vulnerabilities affect SHS versions after 7.1.0 and are fixed in NES SHS 7.1.11.

Addressing the Issues

Users of the affected components should apply one of the following:

  • Disable SHS entirely and switch affected fields back to core taxonomy widgets/formatters.
  • Add strict output escaping in theme/preprocess overrides for any SHS-rendered term labels (check_plain()/filter_xss_admin-safe patterns as appropriate).
  • Add term-name sanitization on save (hook_taxonomy_term_presave / hook_entity_presave) to reject or strip markup-like input.
  • Restrict taxonomy term create/edit permissions to trusted roles only.
  • Add WAF rules to detect/block obvious script payload patterns in taxonomy-related requests.
  • Increase logging/alerting for taxonomy term edits and unusual SHS endpoint traffic.
  • Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Credits

Ra Mänd (ram4nd)

Pink arrow
Pink arrow
CVE-2025-31687
CVE-2025-31689
SA-CORE-2025-002
SA-CONTRIB-2025-072
SA-CONTRIB-2025-028
CVE-2025-3901
CVE-2025-12848
CVE-2025-3900
CVE-2024-13247
CVE-2025-14556
CVE-2025-14557
CVE-2025-47705
CVE-2026-0750
CVE-2026-0749
CVE-2026-0748
CVE-2025-31675
CVE-2026-1556
CVE-2025-13083
CVE-2026-1917
CVE-2025-9551
CVE-2026-4929
CVE-2026-3214
CVE-2026-4093
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-4929
PROJECT Affected
SHS Module
Versions Affected
>=7.1.0 <=7.1.11
NES Versions Affected
Published date
April 15, 2026
≈ Fix date
March 3, 2026
Fixed in
NES for Drupal 7
Category
Cross-Site Scripting
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Drupal 7
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.