PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-4929 Drupal CVE debrief

CVE-2026-4929 is a medium-severity cross-site scripting issue in Simple Hierarchical Select (SHS) for Drupal 7. The problem comes from improper output escaping of term-derived text, which can be rendered unsafely in affected output paths. The confirmed impacted code paths in the source corpus are the field formatter output path (shs_field_formatter_view) and the term-tree child-term data generation path (shs_term_get_children). Versions 7.x-1.0 through 7.x-1.10 are affected.

Vendor
Drupal
Product
Simple Hierarchical Select (shs)
CVSS
MEDIUM 5.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-21
Original CVE updated
2026-05-21
Advisory published
2026-05-21
Advisory updated
2026-05-21

Who should care

Drupal 7 administrators, maintainers, and site builders using Simple Hierarchical Select should prioritize this issue, especially if taxonomy term names or other term-derived values are exposed in rendered pages or widgets. Security teams responsible for legacy Drupal 7 deployments should also review it because the vulnerable paths are in output generation, where XSS can affect end users viewing the content.

Technical summary

The vulnerability is a cross-site scripting flaw caused by insufficient escaping of text derived from taxonomy terms. According to the supplied CVE data, malicious term names can be rendered unsafely depending on context. The affected paths include shs_field_formatter_view and shs_term_get_children, indicating risk both in formatter output and in generated child-term data. The NVD vector indicates network-based exploitation with low attack complexity, requires low privileges and user interaction, and impacts confidentiality and integrity at a low level, with no direct availability impact.

Defensive priority

Medium. This is not marked as KEV in the supplied corpus, but it is still worth prompt remediation because XSS in rendered Drupal output can affect administrators and visitors, especially on public-facing sites.

Recommended defensive actions

  • Upgrade Simple Hierarchical Select to a fixed release if one is available from the project maintainers.
  • Review and harden output encoding in shs_field_formatter_view and shs_term_get_children so all term-derived content is escaped for its final rendering context.
  • Audit any pages or widgets that display taxonomy term names or child-term lists generated by SHS.
  • Treat taxonomy term-derived text as untrusted input even when it originates from administrative workflows.
  • Validate the site with security regression testing focused on rendered term names and formatter output after patching.

Evidence notes

The CVE was published and modified on 2026-05-21T22:16:48.420Z in the supplied NVD-derived source item. The CVE description explicitly names the vulnerable SHS code paths and affected version range (7.x-1.0 through 7.x-1.10). Official CVE and NVD record links are included, along with two supplied advisory references. The corpus does not include a KEV entry or a fixed-version advisory. Vendor attribution in the source metadata is low confidence, so the product context is taken from the CVE description and advisory references rather than from vendor metadata.

Official resources

Publicly disclosed in the CVE/NVD ecosystem on 2026-05-21. The supplied corpus shows no KEV listing and no confirmed exploitation campaign attribution.