AT Internet SmartTag - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-003

Project:

Date:

2026-January-14

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All

Vulnerability:

Cross-site Scripting

Affected versions:

<1.0.1

CVE IDs:

CVE-2026-0946

Description:

This module integrates the AT Internet SmartTag service.

The module does not filter administrator-entered text leading to a persistent Cross-site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer atsmarttag".

Solution:

Install the latest version and confirm the permissions associated with the module are assigned to appropriate roles.

If you use the AT Internet SmartTag module for Drupal 9 and 10, upgrade to AT Internet SmartTag 1.0.1

Reported By:

Fixed By:

Coordinated By:

Contact and more information

The Drupal security team can be reached by email at security at drupal.org or via the contact form.

Follow the Drupal Security Team on Bluesky, or Mastodon or Linkedin.

The security team is made up of volunteers around the world. The companies above have sponsored time on this release.