CVE-2026-4929 | THREATINT

Description

Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10.

PUBLISHED Reserved 2026-03-26 | Published 2026-05-21 | Updated 2026-05-22 | Assigner drupal

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Problem types

Cross-site Scripting (XSS)

Product status

Default status

unknown

7.x-1.0 (custom) before 7.x-1.11

affected

Credits

Reporter: Ra Mänd (ram4nd) finder

References

www.herodevs.com/...directory/cve-2026-4929?nes-for-drupal-7 exploit

www.herodevs.com/vulnerability-directory/cve-2026-4929 (NES patch branch comparison) third-party-advisory

d7es.tag1.com/...ct-moderately-critical-cross-site-scripting third-party-advisory

cve.org (CVE-2026-4929)

nvd.nist.gov (CVE-2026-4929)

Download JSON