CVE-2026-4929

Published: May 21, 2026

Modified: May 22, 2026

PUBLISHED

Description

Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10.

Vendor	Product	Versions
Drupal	Simple Hierarchical Select (shs)	affected `7.x-1.0 - < 7.x-1.11`

References

NES patch branch comparison

third-party-advisory

https://d7es.tag1.com/security-advisories/simple-hierarchical-select-moderately-critical-cross-site-scripting

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-4929

Description

Affected Products

References