CVE-2026-4929

Simple Hierarchical Select (Drupal 7) XSS in term-derived output

CVSS 5.1 MEDIUMEPSS 0.2%CWE-79

Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10.

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Affected products

Drupal · Simple Hierarchical Select (shs)

public PoCs found — 1

cve_referencewww.herodevs.com/vulnerability-directory/cve-2026-4929?nes-for-drupal-7unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://d7es.tag1.com/security-advisories/simple-hierarchical-select-moderately-critical-cross-site-scripting https://www.herodevs.com/vulnerability-directory/cve-2026-4929 https://www.herodevs.com/vulnerability-directory/cve-2026-4929?nes-for-drupal-7