{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3529", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "state": "PUBLISHED", "assignerShortName": "drupal", "dateReserved": "2026-03-04T16:41:57.792Z", "datePublished": "2026-03-26T20:03:28.917Z", "dateUpdated": "2026-03-27T18:09:00.611Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:28.917Z"}, "title": "Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024", "datePublic": "2026-03-04T17:59:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"vendor": "Drupal", "product": "Google Analytics GA4", "collectionURL": "https://www.drupal.org/project/ga4_google_analytics", "repo": "https://git.drupalcode.org/project/ga4_google_analytics", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.14", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).<p>This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.</p>"}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2026-024"}], "credits": [{"lang": "en", "value": "Pierre Rudloff (prudloff)", "type": "finder"}, {"lang": "en", "value": "Sujan Shrestha (sujan shrestha)", "type": "remediation developer"}, {"lang": "en", "value": "Greg Knaddison (greggles)", "type": "coordinator"}, {"lang": "en", "value": "Juraj Nemec (poker10)", "type": "coordinator"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-27T18:08:22.874887Z", "id": "CVE-2026-3529", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:09:00.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-3529", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-27T18:08:22.874887Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-27T18:04:18.175Z"}}], "cna": {"title": "Google Analytics GA4 - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-024", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Pierre Rudloff (prudloff)"}, {"lang": "en", "type": "remediation developer", "value": "Sujan Shrestha (sujan shrestha)"}, {"lang": "en", "type": "coordinator", "value": "Greg Knaddison (greggles)"}, {"lang": "en", "type": "coordinator", "value": "Juraj Nemec (poker10)"}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "affected": [{"repo": "https://git.drupalcode.org/project/ga4_google_analytics", "vendor": "Drupal", "product": "Google Analytics GA4", "versions": [{"status": "affected", "version": "0.0.0", "lessThan": "1.1.14", "versionType": "semver"}], "collectionURL": "https://www.drupal.org/project/ga4_google_analytics", "defaultStatus": "unaffected"}], "datePublic": "2026-03-04T17:59:00.000Z", "references": [{"url": "https://www.drupal.org/sa-contrib-2026-024"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).<p>This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\")"}]}], "providerMetadata": {"orgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "shortName": "drupal", "dateUpdated": "2026-03-26T20:03:28.917Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3529", "state": "PUBLISHED", "dateUpdated": "2026-03-27T18:09:00.611Z", "dateReserved": "2026-03-04T16:41:57.792Z", "assignerOrgId": "2c85b837-eb8b-40ed-9d74-228c62987387", "datePublished": "2026-03-26T20:03:28.917Z", "assignerShortName": "drupal"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sujanshrestha:google_analytics_ga4:*:*:*:*:*:drupal:*:*", "matchCriteriaId": "1430ADF7-121B-4B52-82A1-E9CA6BD7BAAB", "versionEndExcluding": "1.1.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation (\"Cross-site Scripting\") vulnerability in Drupal Google Analytics GA4 allows Cross-Site Scripting (XSS).This issue affects Google Analytics GA4: from 0.0.0 before 1.1.14."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en Drupal Google Analytics GA4 permite cross-site scripting (XSS). Este problema afecta a Google Analytics GA4: desde 0.0.0 anterior a 1.1.14."}], "id": "CVE-2026-3529", "lastModified": "2026-03-31T20:37:55.610", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-26T21:17:09.020", "references": [{"source": "mlhess@drupal.org", "tags": ["Vendor Advisory"], "url": "https://www.drupal.org/sa-contrib-2026-024"}], "sourceIdentifier": "mlhess@drupal.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "mlhess@drupal.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.0.0,1.1.14)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Google Analytics GA4", "source": "cna", "vendor": "Drupal"}, "product": "google_analytics_ga4", "vendor": "drupal"}], "analysis": {"en": {"generated_at": "2026-04-01T07:35:45.919505+00:00", "value": {"mitigation_remediation": ["Upgrade the Drupal Google Analytics GA4 module to version 1.1.14 or later", "Verify that no legacy forms or custom code introduce unsanitized input into the GA4 rendering context", "Test the site to confirm that JavaScript injection attempts are blocked", "If an immediate upgrade is not possible, temporarily disable the GA4 integration module and monitor for signs of XSS activity"], "summary": {"action": "Apply Patch", "impact": "Cross-site scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Drupal Google Analytics GA4 integration module. All releases from the initial version 0.0.0 up to, but not including, 1.1.14 are impacted. Site administrators must verify the module version and ensure that no legacy forms or custom code expose unsanitized input to the GA4 rendering context.", "description_and_impact": "An improper neutralization of user-supplied input during page generation in the Drupal Google Analytics GA4 module allows attackers to inject malicious scripts, creating a cross\u2011site scripting vulnerability. The flaw enables execution of arbitrary JavaScript in the browsers of visitors who view affected pages, potentially leading to session hijacking, data theft, or defacement. The weakness is classified under CWE\u201179, illustrating that input is not adequately sanitized.", "risk_and_exploitability": "The CVSS score of 6.1 indicates moderate severity, while an EPSS score below 1\u202f% points to a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting no public exploit in circulation. The likely attack vector requires an attacker to supply malicious payloads through input that the GA4 module processes during page rendering\u2014such as query parameters or publicly exposed fields. This inference is drawn from the description of improper input neutralization, as the exact exploitation path is not explicitly detailed in the available information."}}}}, "created": "2026-03-27T08:32:15.425733+00:00", "updated": "2026-04-02T07:56:27.792423+00:00", "vendors": ["drupal", "drupal$PRODUCT$google_analytics_ga4"]}