CVE-2026-4929

Severity CVSS v4.0:
MEDIUM
Type:
CWE-79 Cross-Site Scripting (XSS)
Publication date:
21/05/2026
Last modified:
01/06/2026

Description

Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context.<br /> This affects versions from 7.x-1.0 through (and including) 7.x-1.10.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:simple_hierarchical_select_project:simple_hierarchical_select:*:*:*:*:*:drupal:*:* 7.x-1.0 (including) 7.x-1.10 (including)