{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3212", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-02-25T16:59:27.087Z", "datePublished": "2026-03-25T15:22:11.601Z", "dateUpdated": "2026-03-26T14:38:54.095Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:22:11.601Z"}, "title": "Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013", "datePublic": "2026-02-25T18:45:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Drupal", "product": "Tagify", "collectionURL": "https://www.drupal.org/project/tagify", "repo": "https://git.drupalcode.org/project/tagify", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.2.49", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.49.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).<p>This issue affects Tagify: from 0.0.0 before 1.2.49.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-013"}], "credits": [{"lang": "en", "value": "David L\u00c3\u00b3pez (akalam)", "type": "finder"}, {"lang": "en", "value": "Mingsong (mingsong)", "type": "finder"}, {"lang": "en", "value": "David L\u00c3\u00b3pez (akalam)", "type": "remediation developer"}, {"lang": "en", "value": "David Galeano (gxleano)", "type": "remediation developer"}, {"lang": "en", "value": "Mingsong (mingsong)", "type": "remediation developer"}, {"lang": "en", "value": "Damien McKenna (damienmckenna)", "type": "coordinator"}, {"lang": "en", "value": "Dan Smith (galooph)", "type": "coordinator"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Drew Webber (mcdruid)", "type": "coordinator"}, {"lang": "en", "value": "Jess (xjm)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:01:00.711708Z", "id": "CVE-2026-3212", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:38:54.095Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3212", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:01:00.711708Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:01:11.224Z"}}], "cna": {"title": "Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "David L\u00c3\u00b3pez (akalam)"}, {"lang": "en", "type": "finder", "value": "Mingsong (mingsong)"}, {"lang": "en", "type": "remediation developer", "value": "David L\u00c3\u00b3pez (akalam)"}, {"lang": "en", "type": "remediation developer", "value": "David Galeano (gxleano)"}, {"lang": "en", "type": "remediation developer", "value": "Mingsong (mingsong)"}, {"lang": "en", "type": "coordinator", "value": "Damien McKenna (damienmckenna)"}, {"lang": "en", "type": "coordinator", "value": "Dan Smith (galooph)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Drew Webber (mcdruid)"}, {"lang": "en", "type": "coordinator", "value": "Jess (xjm)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/tagify", "vendor": "Drupal", "product": "Tagify", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.2.49", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/tagify", "defaultStatus": "unaffected"}], "datePublic": "2026-02-25T18:45:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-013"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.49.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).<p>This issue affects Tagify: from 0.0.0 before 1.2.49.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-25T15:22:11.601Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3212", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:01:15.384Z", "dateReserved": "2026-02-25T16:59:27.087Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-25T15:22:11.601Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS).This issue affects Tagify: from 0.0.0 before 1.2.49."}], "id": "CVE-2026-3212", "lastModified": "2026-03-25T20:16:34.423", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T16:16:22.217", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-013"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.2.49)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tagify", "source": "cna", "vendor": "Drupal"}, "product": "tagify", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-25T21:42:00.984290+00:00", "value": {"mitigation_remediation": ["Upgrade Tagify to version 1.2.49 or later.", "If an upgrade is not immediately possible, apply a content security policy that restricts inline scripting and disallows unsafe sources."], "summary": {"action": "Immediate Patch", "impact": "Cross-site scripting"}, "threat_synthesis": {"affected_systems": "Drupal Tagify is affected in all releases from the initial release 0.0.0 up to and including 1.2.48. Versions 1.2.49 and later contain the fix.", "description_and_impact": "Drupal Tagify contains an improper neutralization of input during web page generation that allows attackers to inject arbitrary JavaScript into pages. The vulnerability would enable victims to run code in their browsers, potentially stealing credentials, hijacking sessions, or defacing content. The weakness is identified as CWE\u201179 (Cross\u2011Site Scripting).", "risk_and_exploitability": "The severity scoring is moderate with a CVSS base score of 6.1, there is no EPSS value provided, and the issue is not currently listed in CISA\u2019s KEV catalog. Attackers likely exploit the flaw by submitting malicious payloads through public input fields, a technique that does not require elevated privileges. Because the payload executes in the victim\u2019s browser, the threat is confined to clients who view the compromised content, but it can compromise user credentials and data."}}}}, "created": "2026-03-25T21:48:04.033625+00:00", "updated": "2026-03-26T11:42:58.354596+00:00", "vendors": ["drupal", "drupal$PRODUCT$tagify"]}