CVE-2026-11908

Description

This module integrates the Tagify JavaScript library to enhance entity reference selection in entity reference widgets. The module does not properly sanitise the name of parent taxonomy terms when rendering suggestions in the Tagify dropdown. This results in a cross-site scripting vulnerability that may allow attackers to execute arbitrary JavaScript in the context of the user’s session. The vulnerability is mitigated by the fact an attacker must have a role with permission to create or edit taxonomy terms in a vocabulary.

How to fix CVE-2026-11908

To remediate CVE-2026-11908, upgrade the affected package to a fixed version below.

• Packagist/drupal/tagify—upgrade to 1.2.52 or later

Is CVE-2026-11908 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-11908.

Affected packages (1)

• from 0, < 1.2.52

References (1)

• WEBwww.drupal.org/sa-contrib-2026-043