"We run a non-profit summer camp and hired Ricochet to design our camper and staff database from scratch. Their initial design was custom fit to suit our needs and as those needs have evolved the helpful staff at Ricochet have insured that timely changes keep our database up to date and running smoothly. Thanks for the fantastic service and personal attention, it's made a huge difference for our camp!"
—Chrissie Endler, Camp del Corazon

Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013

Wed, 2026-02-25 10:45 — Anonymous (not verified)

Project: TagifyDate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <1.2.49CVE IDs: CVE-2026-3212Description: This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets.
The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content.Solution: Install the latest version:

If you use the Tagify module, upgrade to Tagify 1.2.49 or later.

Reported By:

David López (akalam)
Mingsong (mingsong) provisional member of the Drupal Security Team

Fixed By:

David López (akalam)
David Galeano (gxleano)
Mingsong (mingsong) provisional member of the Drupal Security Team

Coordinated By:

Damien McKenna (damienmckenna) of the Drupal Security Team
Dan Smith (galooph) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-013

Search form

Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013