{"id":"DRUPAL-CONTRIB-2026-013","details":"This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets.\n\nThe module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content.","aliases":["CVE-2026-3212"],"modified":"2026-02-25T19:44:42.411114Z","published":"2026-02-25T18:45:13Z","references":[{"type":"WEB","url":"https://www.drupal.org/sa-contrib-2026-013"}],"affected":[{"package":{"name":"drupal/tagify","ecosystem":"Packagist:https://packages.drupal.org/8","purl":"pkg:composer/drupal/tagify"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.2.49"}],"database_specific":{"constraint":"\u003c1.2.49"}}],"database_specific":{"source":"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/tagify/DRUPAL-CONTRIB-2026-013.json","affected_versions":"\u003c1.2.49"}}],"schema_version":"1.7.3","credits":[{"name":"David López (akalam)","contact":["https://www.drupal.org/u/akalam"]},{"name":"Mingsong  (mingsong)","contact":["https://www.drupal.org/u/mingsong"]}]}