View online: https://www.drupal.org/sa-contrib-2026-003 Project: AT Internet SmartTag [1] Date: 2026-January-14 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2] Vulnerability: Cross-site Scripting Affected versions: <1.0.1 CVE IDs: CVE-2026-0946 Description:  This module integrates the AT Internet SmartTag service. The module does not filter administrator-entered text leading to a persistent Cross-site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer atsmarttag". Solution:  Install the latest version and confirm the permissions associated with the module are assigned to appropriate roles. * If you use the AT Internet SmartTag module for Drupal 9 and 10, upgrade to AT Internet SmartTag 1.0.1 [3] Reported By:  * Pierre Rudloff (prudloff) [4] provisional member of the Drupal Security Team Fixed By:  * Frank Mably (mably) [5] Coordinated By:  * Greg Knaddison (greggles) [6] of the Drupal Security Team * Juraj Nemec (poker10) [7] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [8] [1] https://www.drupal.org/project/atsmarttag [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/atsmarttag/releases/1.0.1 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/mably [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/poker10 [8] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....