Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2026-February-25
Vulnerability:
Cross-site scripting
Affected versions:
<1.2.49
CVE IDs:
CVE-2026-3212
Description:
This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets.
The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content.
Solution:
Install the latest version:
- If you use the Tagify module, upgrade to Tagify 1.2.49 or later.
Reported By:
- David López (akalam)
- Mingsong (mingsong) provisional member of the Drupal Security Team
Fixed By:
- David López (akalam)
- David Galeano (gxleano)
- Mingsong (mingsong) provisional member of the Drupal Security Team
Coordinated By:
- Damien McKenna (damienmckenna) of the Drupal Security Team
- Dan Smith (galooph) of the Drupal Security Team
- Greg Knaddison (greggles) of the Drupal Security Team
- Drew Webber (mcdruid) of the Drupal Security Team
- Jess (xjm) of the Drupal Security Team
