Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024

Wed, 2026-03-04 09:59 — Anonymous (not verified)

Project: Google Analytics GA4Date: 2026-March-04Security risk: Moderately critical 12 ∕ 25 AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site ScriptingAffected versions: <1.1.13CVE IDs: CVE-2026-3529Description: The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes.
This vulnerability is mitigated by the fact that an attacker must have a role with the "ga4 configure" (or "administer google analytics ga4 settings") permission.
An attacker with this permission could inject malicious JavaScript via event handlers (such as onload) or override the script source, leading to a Cross-Site Scripting (XSS) attack on all pages where the GA4 script is loaded.Solution: Install the latest version:

If you use the Google Analytics GA4 module, upgrade to Google Analytics GA4 1.1.13

Reported By:

Pierre Rudloff (prudloff) provisional member of the Drupal Security Team

Fixed By:

Sujan Shrestha (sujan shrestha)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-024

Search form

Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024