Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043

Project:

Tagify

Date:

2026-June-10

Security risk:

Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default

Vulnerability:

Cross-site scripting (XSS)

Affected versions:

<1.2.52

CVE IDs:

CVE-2026-11908

Description:

This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets.

The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability that may allow attackers to execute arbitrary JavaScript in the context of the user’s session.

The vulnerability is mitigated by the fact an attacker must have a role with permission to create or edit taxonomy terms in a vocabulary.

Solution:

Install the latest version of the Tagify module that includes a fix for sanitising parent term names in the Tagify dropdown rendering.

If you use the Tagify module for Drupal, upgrade to tagify 1.2.52.

More information will be provided in the project release notes once the fixed version is published.

Reported By:

Pierre Rudloff (prudloff) of the Drupal Security Team

Fixed By:

David Galeano (gxleano)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Dave Long (longwave) of the Drupal Security Team
Pierre Rudloff (prudloff) of the Drupal Security Team

Contribution record

Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community