View online: https://www.drupal.org/sa-contrib-2026-013

Project: Tagify [1] Date: 2026-February-25 Security risk: *Moderately critical* 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross-site scripting

Affected versions: <1.2.49 CVE IDs: CVE-2026-3212 Description:  This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets.

The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content.

Solution:  Install the latest version:

* If you use the Tagify module, upgrade to Tagify 1.2.49 [3] or later.

Reported By:  * David López (akalam) [4] * Mingsong (mingsong) [5] provisional member of the Drupal Security Team

Fixed By:  * David López (akalam) [6] * David Galeano (gxleano) [7] * Mingsong (mingsong) [8] provisional member of the Drupal Security Team

Coordinated By:  * Damien McKenna (damienmckenna) [9] of the Drupal Security Team * Dan Smith (galooph) [10] of the Drupal Security Team * Greg Knaddison (greggles) [11] of the Drupal Security Team * Drew Webber (mcdruid) [12] of the Drupal Security Team * Jess (xjm) [13] of the Drupal Security Team

------------------------------------------------------------------------------ Contribution record [14]

[1] https://www.drupal.org/project/tagify [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/tagify/releases/1.2.49 [4] https://www.drupal.org/u/akalam [5] https://www.drupal.org/u/mingsong [6] https://www.drupal.org/u/akalam [7] https://www.drupal.org/u/gxleano [8] https://www.drupal.org/u/mingsong [9] https://www.drupal.org/u/damienmckenna [10] https://www.drupal.org/u/galooph [11] https://www.drupal.org/u/greggles [12] https://www.drupal.org/u/mcdruid [13] https://www.drupal.org/u/xjm [14] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....