CVE-2026-4929

Overview

Drupal is an open-source content management system known for its flexibility, robust features, and strong community support. Organizations of all sizes use it to build and manage dynamic websites and web applications.

The Simple Hierarchical Select module adds a taxonomy-term widget that lets users choose terms by browsing the vocabulary hierarchy. 

SHS contains a cross-site scripting (XSS) weakness that can allow malicious markup in term labels to be rendered in the term tree or field output, potentially executing in a user’s browser.

A cross-site scripting (XSS) vulnerability is a type of security flaw that allows attackers to inject malicious scripts into webpages. It often occurs when a site fails to properly validate or sanitize user input, enabling the execution of unauthorized code within a victim's browser. It is included in the OWASP Top Ten list of vulnerabilities, specifically in the third category of Injection. A web site compromised in this way may experience:

• Session hijacking
• Data theft
• Malware distribution
• Defacement or phishing and
• Privilege escalation.

This issue affects Simple Hierarchical Select versions 7.1.0 up to and including 7.1.11.

‍

Details

Module Info

• Product: Drupal
• Affected code: Simple Hierarchical Select module
• Affected versions: 
• Project page: https://www.drupal.org/project/shs
• Fixed in:  Simple Hierarchical Select NES 7.1.11

Vulnerability Info

There is one underlying issue: unescaped output of term-derived text.

In affected SHS versions, this appears in two confirmed paths:

• Field formatter output (shs_field_formatter_view) where term names could be rendered without escaping.
• Term-tree data output (shs_term_get_children) where term names could be returned without escaping.

This can expose malicious markup in rendered output and may lead to XSS when inserted into unsafe HTML contexts.

These vulnerabilities affect SHS versions after 7.1.0 and are fixed in NES SHS 7.1.11.

‍

Steps To Reproduce

Vector 1: Field Formatter (Unlinked Display)

This vulnerability occurs when a malicious term is displayed on a node using the SHS field formatter without being configured as a link.

Setup:

1. Enable the shs module and its dependency taxonomy.
2. Use the Tags vocabulary and the Article content type.
3. Go to the Article content type's Manage fields screen and add a Term reference field that points to the "Tags" vocabulary; Set the widget to Simple Hierarchical Select.
4. Go to the Manage display screen for the Article content type. Set the format for that field to Simple Hierarchical Select.
5. Click the gear icon next to the field to access its settings, un-check the "Link to term page" option, and save.

Steps:

1. Navigate to "Structure > Taxonomy > Tags" and add a new term.
2. In the term name, enter an XSS payload such as: <script>alert("XSS Formatter")</script>. Save the term.
3. Go to "Add content" and create a new Article.
4. Using the SHS widget you configured, select the malicious term you just created.
5. Save the node.
6. View the node page.
7. Observe an alert box appearing. The malicious term name is output raw to the page source because the formatter display lacks sanitization.

‍

Vector 2: AJAX/JSON Data during Widget Interaction

This vulnerability triggers when users dynamically load options via SHS's dropdown widget. The shs_term_get_children() function was fetching term names without sanitizing them.

Setup

Same as above (SHS enabled, Term Reference field using SHS widget on a content type).

‍

Steps to Reproduce

1. Navigate to your Vocabulary and add a top-level parent term called Parent Term.
2. Add a new term, with an XSS payload as its name (e.g., <script>alert("XSS JSON")</script>), and select Parent Term as its parent.
3. Go to "Add content" and create a new node of the type that has the active SHS widget.
4. In the SHS widget's root dropdown, select Parent Term.
5. This action triggers an AJAX request to load the children terms for the newly populated second-level dropdown.
6. Vulnerable Behavior: The AJAX JSON response returns the term's raw XSS string. Once the SHS client-side JavaScript receives this data and inserts it into the UI as a new <select> option, the malicious payload is exposed and potentially executed depending on how the active client-side framework handles the DOM injection.

‍

Addressing the Issues

Users of the affected components should apply one of the following:

• Disable SHS entirely and switch affected fields back to core taxonomy widgets/formatters.
• Add strict output escaping in theme/preprocess overrides for any SHS-rendered term labels (check_plain()/filter_xss_admin-safe patterns as appropriate).
• Add term-name sanitization on save (hook_taxonomy_term_presave / hook_entity_presave) to reject or strip markup-like input.
• Restrict taxonomy term create/edit permissions to trusted roles only.
• Add WAF rules to detect/block obvious script payload patterns in taxonomy-related requests.
• Increase logging/alerting for taxonomy term edits and unusual SHS endpoint traffic.
• Sign up for post-EOL security support; HeroDevs customers get immediate access to a patched version of this module.

Credits

Ra Mänd (ram4nd)