{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3529", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:57.792Z", "datePublished": "2026-03-26T20:03:28.917Z", "dateUpdated": "2026-03-26T20:03:28.917Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:28.917Z"}, "title": "Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024", "datePublic": "2026-03-04T17:59:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Drupal", "product": "Google Analytics GA4", "collectionURL": "https://www.drupal.org/project/ga4_google_analytics", "repo": "https://git.drupalcode.org/project/ga4_google_analytics", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).<p>This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-024"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Sujan Shrestha (sujan shrestha)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14."}], "id": "CVE-2026-3529", "lastModified": "2026-03-26T21:17:09.020", "metrics": {}, "published": "2026-03-26T21:17:09.020", "references": [{"source": "mlhess@drupal.org", "url": "https://www.drupal.org/sa-contrib-2026-024"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.1.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Google Analytics GA4", "source": "cna", "vendor": "Drupal"}, "product": "google_analytics_ga4", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-26T21:37:21.338930+00:00", "value": {"mitigation_remediation": ["Upgrade the Drupal Google Analytics GA4 module to version 1.1.14 or later", "Verify that the upgraded module is correctly installed and old files are removed", "If an upgrade cannot be performed immediately, disable the module to eliminate the attack surface", "Regularly review site for any unexpected JavaScript injection or rendering anomalies"], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Drupal Google Analytics GA4 module. All released versions prior to 1.1.14 are vulnerable, including the initial 0.0.0 release. Systems running any earlier revision of this module are at risk.", "description_and_impact": "Improper neutralization of input during web page generation in the Drupal Google Analytics GA4 module allows malicious JavaScript to be injected into pages rendered by the site. The injected code runs in the context of visitors who view the affected pages and can be used to hijack user sessions, exfiltrate data, or deface content. The weakness is a classic cross\u2011site scripting flaw (CWE\u201179).", "risk_and_exploitability": "The issue is not reported in the CISA KEV list, and the EPSS score is not publicly available, but the moderate severity and the typical path of exploitation\u2014through input fields or configuration pages\u2014suggest that attackers with sufficient access could exploit it. The simple injection of unescaped input makes the vulnerability relatively easy to trigger for users with edit rights to the module configuration. Admins should treat this as a medium\u2011to\u2011high risk exposure if the module is in use and no mitigations are applied."}}}}, "created": "2026-03-27T08:32:15.425733+00:00", "updated": "2026-03-27T09:23:44.186700+00:00", "vendors": ["drupal", "drupal$PRODUCT$google_analytics_ga4"]}