PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4093 Drupal CVE debrief

CVE-2026-4093 is a stored cross-site scripting issue in the Drupal 7 Term Reference Tree module. The NVD record was published and last modified on 2026-05-21. Two rendering-path vectors are described: one when Token module display templates render attacker-controlled token output without proper sanitization, and another when taxonomy term labels are rendered unsanitized in the widget. The issue affects 7.x-1.x through 7.x-1.11 and is rated CVSS 5.1 (MEDIUM) in the supplied record.

Vendor
Drupal
Product
Term Reference Tree
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Drupal site owners, administrators, and security teams running the Term Reference Tree module, especially installations that also use the Token module or allow users to create or edit taxonomy terms. Content editors and developers responsible for taxonomy-backed forms should also review exposure.

Technical summary

The vulnerability is a stored XSS flaw in the module’s widget/formatter rendering pipeline. In the first vector, configured token display templates can reflect attacker-controlled token values, such as term descriptions, into rendered output without adequate sanitization. In the second vector, taxonomy term labels are not properly sanitized before widget rendering, allowing malicious HTML or script content in term names to execute when a form containing the widget is viewed. The supplied record maps the issue to CWE-79.

Defensive priority

Medium-high. Although the published CVSS score is medium, this is a stored XSS affecting rendering of forms and field output, so sites that expose the module to multiple editors or untrusted term input should prioritize remediation.

Recommended defensive actions

  • Inventory Drupal 7 sites for the Term Reference Tree module and confirm whether any instance is on 7.x-1.11 or earlier.
  • Upgrade to a maintainer-provided fixed release newer than 7.x-1.11 if available, or remove the module from unsupported systems.
  • If the Token module is enabled, review any token display templates used by this module and disable unnecessary template-based output until remediation is in place.
  • Audit taxonomy term creation and edit permissions so only trusted roles can supply term names and descriptions.
  • Review existing term labels and descriptions for unexpected HTML or script content, and clean or re-enter suspicious values.
  • Test affected forms and field renderings in a staging environment after remediation to confirm that term output is escaped correctly.

Evidence notes

The debrief is based on the supplied NVD modified record and the linked advisory references. The record explicitly describes two stored XSS vectors, the affected versions (7.x-1.x through 7.x-1.11), and the CWE-79 mapping. The supplied vendor attribution is low-confidence and marked for review, so product naming is kept aligned to the source description.

Official resources

CVE published and modified on 2026-05-21T22:16:48.290Z. No CISA KEV entry is present in the supplied data.