View online: https://www.drupal.org/sa-contrib-2026-024
Project: Google Analytics GA4 [1] Date: 2026-March-04 Security risk: *Moderately critical* 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross-site Scripting
Affected versions: <1.1.13 CVE IDs: CVE-2026-3529 Description: The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes.
This vulnerability is mitigated by the fact that an attacker must have a role with the "ga4 configure" (or "administer google analytics ga4 settings") permission.
An attacker with this permission could inject malicious JavaScript via event handlers (such as onload) or override the script source, leading to a Cross-Site Scripting (XSS) attack on all pages where the GA4 script is loaded.
Solution: Install the latest version:
* If you use the Google Analytics GA4 module, upgrade to Google Analytics GA4 1.1.13 [3]
Reported By: * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security Team
Fixed By: * Sujan Shrestha (sujan shrestha) [5]
Coordinated By: * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [8]
[1] https://www.drupal.org/project/ga4_google_analytics [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/ga4_google_analytics/releases/1.1.13 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/sujan-shrestha [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10 [8] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....