{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3529", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:57.792Z", "datePublished": "2026-03-26T20:03:28.917Z", "dateUpdated": "2026-03-27T18:09:00.611Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:28.917Z"}, "title": "Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024", "datePublic": "2026-03-04T17:59:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Drupal", "product": "Google Analytics GA4", "collectionURL": "https://www.drupal.org/project/ga4_google_analytics", "repo": "https://git.drupalcode.org/project/ga4_google_analytics", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).<p>This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-024"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Sujan Shrestha (sujan shrestha)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:08:22.874887Z", "id": "CVE-2026-3529", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:09:00.611Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3529", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:57.792Z", "datePublished": "2026-03-26T20:03:28.917Z", "dateUpdated": "2026-03-27T18:09:00.611Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:28.917Z"}, "title": "Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024", "datePublic": "2026-03-04T17:59:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Drupal", "product": "Google Analytics GA4", "collectionURL": "https://www.drupal.org/project/ga4_google_analytics", "repo": "https://git.drupalcode.org/project/ga4_google_analytics", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).<p>This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-024"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Sujan Shrestha (sujan shrestha)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3529", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T18:08:22.874887Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:04:18.175Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en Drupal Google Analytics GA4 permite cross-site scripting (XSS). Este problema afecta a Google Analytics GA4: desde 0.0.0 anterior a 1.1.14."}], "id": "CVE-2026-3529", "lastModified": "2026-03-27T18:16:06.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:09.020", "references": [{"source": "[email protected]", "url": "https://www.drupal.org/sa-contrib-2026-024"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "[email protected]", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.1.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Google Analytics GA4", "source": "cna", "vendor": "Drupal"}, "product": "google_analytics_ga4", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-03-27T20:06:59.681434+00:00", "value": {"mitigation_remediation": ["Upgrade the Google Analytics GA4 contrib module to version 1.1.14 or later.", "Verify the update by checking the module version in the Drupal admin interface.", "If an immediate upgrade is not possible, restrict access to the module configuration pages to trusted administrators and monitor for suspicious input.", "Review the site for any injected scripts and remove them immediately."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "Drupal sites that install the Google Analytics GA4 contrib module with a version earlier than 1.1.14, starting from the initial 0.0.0 release, are vulnerable. Administrators should inspect the module version in the Drupal admin UI and compare it against the latest released version. The vulnerability does not affect any other vendors or products.", "description_and_impact": "The Google Analytics GA4 contrib module for Drupal contains an improper neutralization of user input during web page generation, creating a cross\u2011site scripting flaw. An attacker can inject JavaScript payloads into the module\u2019s configuration or content that will execute in the browsers of visitors who view the affected pages. This enables session hijacking, credential theft, defacement or arbitrary actions performed on behalf of users.", "risk_and_exploitability": "The CVSS base score of 6.1 indicates moderate severity, but the EPSS score below 1% suggests exploitation is unlikely at present. The flaw is not listed in the CISA KEV catalog, so no widespread exploitation is documented. Attackers could abuse the public configuration interface or abuse any input fields that the module stores without sanitization. A remote attacker with the ability to supply crafted configuration data or inject malicious content via exposed URLs could trigger the vulnerability, leading to arbitrary script execution in victims\u2019 browsers."}}}}, "created": "2026-03-27T08:32:15.425733+00:00", "updated": "2026-03-27T20:26:05.064790+00:00", "vendors": ["drupal", "drupal$PRODUCT$google_analytics_ga4"]}