Zero Day MonitorZDM

← Back to list

—

CVE-2026-4929EXPLOITEDPATCHED

drupal · simple_hierarchical_select

Simple Hierarchical Select (Drupal 7) XSS in term-derived output

Description

Simple Hierarchical Select (SHS) for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output (shs_field_formatter_view) and term-tree child-term data generation (shs_term_get_children). Malicious taxonomy term names can be rendered unsafely depending on output context. This affects versions from 7.x-1.0 through (and including) 7.x-1.10.

Affected Products

Vendor	Product	Versions
drupal	simple_hierarchical_select	7.x-1.0

References

https://www.herodevs.com/vulnerability-directory/cve-2026-4929(third-party-advisory)
https://d7es.tag1.com/security-advisories/simple-hierarchical-select-moderately-critical-cross-site-scripting(third-party-advisory)

Related News (1 articles)

Tier C

VulDB4d ago

CVE-2026-4929 | Simple Hierarchical Select up to 7.x-1.10 on Drupal shs_field_formatter_view/shs_term_get_children cross site scripting

→ No new info (linked only)

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

7.x-1.11

PublishedMay 21, 2026

Last enriched4d agov2

Tags

CVE-2026-4929

Trending Score23

Source articles1

Independent1

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-9082EXPKEV

Drupal core - Highly critical - SQL injection - SA-CORE-2026-004

CRITICALCVE-2026-8495

Date iCal - Critical - Information disclosure - SA-CONTRIB-2026-037

MEDIUMCVE-2026-6367EXP

Drupal core - Moderately critical - Cross-site scripting - SA-CORE-2026-003

NONECVE-2026-4093EXP

Stored XSS in Drupal 7 Term Reference Tree module (token display templates and term labels)

MEDIUMCVE-2026-6366EXP

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 21, 2026

Discovered by ZDM

May 21, 2026

Updated: severity, activelyExploited, cweIds, tags

May 22, 2026

Actively Exploited

May 22, 2026

Patch Available

May 22, 2026

Version History

v2

Last enriched 4d ago

v2Tier C4d ago

Updated severity to HIGH, marked as actively exploited, and added CWE-79 and CVE-2026-4929 tags.

severityactivelyExploitedcweIdstags

via VulDB

v14d ago

Initial creation