"Ricochet has been invaluable in taking our website to the next level. Throughout the development process, they met every need and were able to find creative solutions for every curveball we threw at them. Their knowledge of the latest web technologies, professionalism, and responsiveness brought everything together for us. I can highly recommend Ricochet Consulting to anyone looking to surge past their competition."
—Scott M. Wayne,

Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013

Wed, 2026-02-25 10:45 — Anonymous (not verified)

Project: TagifyDate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <1.2.49CVE IDs: CVE-2026-3212Description: This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets.
The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content.Solution: Install the latest version:

If you use the Tagify module, upgrade to Tagify 1.2.49 or later.

Reported By:

David López (akalam)
Mingsong (mingsong) provisional member of the Drupal Security Team

Fixed By:

David López (akalam)
David Galeano (gxleano)
Mingsong (mingsong) provisional member of the Drupal Security Team

Coordinated By:

Damien McKenna (damienmckenna) of the Drupal Security Team
Dan Smith (galooph) of the Drupal Security Team
Greg Knaddison (greggles) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Jess (xjm) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-013

Search form

Tagify - Moderately critical - Cross-site scripting - SA-CONTRIB-2026-013