Zum Inhalt springen.
Sympa Menü

it-securitynotifies - [IT-SecNots] [Security-news] Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043

it-securitynotifies AT lists.piratenpartei.de

Betreff: Sicherheitsankündigungen

Listenarchiv

[IT-SecNots] [Security-news] Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043


Chronologisch Thread  
  • From: security-news AT drupal.org
  • To: security-news AT drupal.org
  • Subject: [IT-SecNots] [Security-news] Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043
  • Date: Wed, 10 Jun 2026 17:07:13 +0000
  • Archived-at: <>
  • Authentication-results: lists.piratenpartei.de; dkim=pass header.d=drupal.org header.s=default header.b=ZN4R5T52; dkim=fail ("body hash did not verify") header.d=drupal.org header.s=f34odw3mfzgsrgyn3evjayysxxl6jizn header.b=JVYWs76G; dkim=fail ("body hash did not verify") header.d=amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=PsHauKPn; dmarc=pass (policy=none) header.from=drupal.org; spf=pass (lists.piratenpartei.de: domain of security-news-bounces AT drupal.org designates 2605:bc80:3010::138 as permitted sender) smtp.mailfrom=security-news-bounces AT drupal.org
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 691E7820D3
  • Dkim-filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6C7EF60AB9
  • Dmarc-filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org 6C7EF60AB9
  • Feedback-id: ::1.us-west-2.eaokZ1GT8utLqfMHQoyOsEFVrSIzzS6R+14LP6WIIUY=:AmazonSES
  • List-archive: <>
  • List-id: <security-news.drupal.org>

View online: https://www.drupal.org/sa-contrib-2026-043

Project: Tagify [1]
Date: 2026-June-10
Security risk: *Moderately critical* 13 ∕ 25
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2]
Vulnerability: Cross-site scripting (XSS)

Affected versions: <1.2.52
CVE IDs: CVE-2026-11908
Description: 
This module integrates the Tagify JavaScript library to enhance entity
reference selection in entity reference widgets.

The module does not properly sanitise the name of parent taxonomy terms when
rendering suggestions in the Tagify dropdown. This results in a cross-site
scripting vulnerability that may allow attackers to execute arbitrary
JavaScript in the context of the user’s session.

The vulnerability is mitigated by the fact an attacker must have a role with
permission to create or edit taxonomy terms in a vocabulary.

Solution: 
Install the latest version of the Tagify module that includes a fix for
sanitising parent term names in the Tagify dropdown rendering.

* If you use the Tagify module for Drupal, upgrade to tagify 1.2.52 [3].

More information will be provided in the project release notes once the fixed
version is published.

Reported By: 
* Pierre Rudloff (prudloff) [4] of the Drupal Security Team

Fixed By: 
* David Galeano (gxleano) [5]

Coordinated By: 
* Greg Knaddison (greggles) [6] of the Drupal Security Team
* Dave Long (longwave) [7] of the Drupal Security Team
* Pierre Rudloff (prudloff) [8] of the Drupal Security Team

Security
issue: 
https://git.drupalcode.org/security/185106-tagify-security/-/work_items/1
[9]
------------------------------------------------------------------------------
Contribution record [10]

[1] https://www.drupal.org/project/tagify
[2] https://www.drupal.org/security-team/risk-levels
[3] https://www.drupal.org/project/tagify/releases/1.2.52
[4] https://www.drupal.org/u/prudloff
[5] https://www.drupal.org/u/gxleano
[6] https://www.drupal.org/u/greggles
[7] https://www.drupal.org/u/longwave
[8] https://www.drupal.org/u/prudloff
[9] https://git.drupalcode.org/security/185106-tagify-security/-/work_items/1
[10] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal.org/node/3593444

_______________________________________________
Security-news mailing list -- security-news AT drupal.org
To unsubscribe send an email to security-news-leave AT drupal.org
Unsubscribe at

  • [IT-SecNots] [Security-news] Tagify - Moderately critical - Cross-site scripting (XSS) - SA-CONTRIB-2026-043, security-news, 10.06.2026

Archiv bereitgestellt durch MHonArc 2.6.19+.

Seitenanfang