Description
Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context.
This affects versions from 7.x-1.0 through (and including) 7.x-1.10.
Published: 2026-05-21
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simple Hierarchical Select module for Drupal 7 contains a cross‑site scripting vulnerability caused by failing to escape taxonomy term names before rendering them. This flaw occurs when the module outputs term‑derived data in the field formatter view or during child‑term generation, allowing arbitrary HTML or JavaScript to be displayed to users who view the affected content.

Affected Systems

Drupal 7 sites that use the Simple Hierarchical Select module from versions 7.x‑1.0 through 7.x‑1.10 are affected. The vulnerability applies to any installation where taxonomy term data rendered by the module is accessible to users.

Risk and Exploitability

The CVSS score of 5.1 signifies a medium severity issue, and no EPSS value is available. The vulnerability is not listed in the CISA KEV catalog. An attacker can create a malicious taxonomy term via the web interface or API and, when it is rendered by the module, will execute script code in the browsers of any user who views that content. Exploitation is remote, requires no local privileges, and is confined to the application context.

Generated by OpenCVE AI on May 21, 2026 at 23:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simple Hierarchical Select module to a version that includes proper output escaping for term‑derived data, such as 7.x‑1.11 or later.
  • If an upgrade is not immediately possible, enforce a Content Security Policy that blocks execution of scripts from untrusted sources to reduce the risk of XSS attacks.
  • Validate and sanitize taxonomy term names before they are stored, using Drupal’s built‑in sanitization functions or custom input validation to remove disallowed characters.

Generated by OpenCVE AI on May 21, 2026 at 23:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 13:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal simple Hierarchical Select (shs)
Vendors & Products Drupal
Drupal simple Hierarchical Select (shs)

Fri, 22 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Thu, 21 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10.
Title Simple Hierarchical Select (Drupal 7) XSS in term-derived output
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Drupal Simple Hierarchical Select (shs)
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-05-22T12:52:46.535Z

Reserved: 2026-03-26T19:18:14.271Z

Link: CVE-2026-4929

cve-icon Vulnrichment

Updated: 2026-05-22T12:52:08.555Z

cve-icon NVD

Status : Received

Published: 2026-05-21T22:16:48.420

Modified: 2026-05-21T22:16:48.420

Link: CVE-2026-4929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T12:38:25Z

Weaknesses