An improper neutralization of user-supplied input during page generation in the Drupal Google Analytics GA4 module allows attackers to inject malicious scripts, creating a cross‑site scripting vulnerability. The flaw enables execution of arbitrary JavaScript in the browsers of visitors who view affected pages, potentially leading to session hijacking, data theft, or defacement. The weakness is classified under CWE‑79, illustrating that input is not adequately sanitized.

The vulnerability affects the Drupal Google Analytics GA4 integration module. All releases from the initial version 0.0.0 up to, but not including, 1.1.14 are impacted. Site administrators must verify the module version and ensure that no legacy forms or custom code expose unsanitized input to the GA4 rendering context.

The CVSS score of 6.1 indicates moderate severity, while an EPSS score below 1 % points to a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no public exploit in circulation. The likely attack vector requires an attacker to supply malicious payloads through input that the GA4 module processes during page rendering—such as query parameters or publicly exposed fields. This inference is drawn from the description of improper input neutralization, as the exact exploitation path is not explicitly detailed in the available information.