CVE-2026-4929
EUVD-2026-3138121.05.2026, 22:16
Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| simple_hierarchical_select_project | simple_hierarchical_select | 7.x-1.0 ≤ 𝑥 ≤ 7.x-1.10 |
𝑥
= Vulnerable software versions