← back
CVE-2026-4929

Simple Hierarchical Select (Drupal 7) XSS in term-derived output

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 5.1EPSS 0.2%KEV nãoPoC públicaNuclei Metasploit Patch
Lifecycle
21 May 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
Affected products
Drupal · Simple Hierarchical Select (shs)
public PoCs found1
cve_referencewww.herodevs.com/vulnerability-directory/cve-2026-4929?nes-for-drupal-7unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://d7es.tag1.com/security-advisories/simple-hierarchical-select-moderately-critical-cross-site-scriptinghttps://www.herodevs.com/vulnerability-directory/cve-2026-4929https://www.herodevs.com/vulnerability-directory/cve-2026-4929?nes-for-drupal-7