This vulnerability arises from improper neutralization of user input when generating a web page, allowing an attacker to inject malicious scripts into pages served by the Drupal AT Internet SmartTag module. The injected scripts execute in the context of the victim’s browser, potentially enabling session hijacking, credential theft, or defacement of the site. The weakness corresponds to CWE-79, which focuses on inadequate input filtering or output encoding.

Drupal A.T. Internet SmartTag is affected from version 0.0.0 up to, but not including, 1.0.1. The module’s functionality applies to any Drupal site that has the SmartTag module installed within that version range.

The CVSS score of 6.1 indicates moderate severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild, and the vulnerability is not flagged in the CISA Known Exploit Vulnerabilities catalogue. Attackers would need to provide crafted input to the SmartTag module—most likely via exposed parameters or content fields—to trigger the XSS. Because the flaw occurs during page rendering, the impact is confined to users who visit the compromised pages; however, the presence of arbitrary script execution can be leveraged for broader attacks such as phishing or state‑changing requests.