Project: TagifyDate: 2026-February-25Security risk: Moderately critical 13 ∕ 25 AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross-site scriptingAffected versions: <1.2.49CVE IDs: CVE-2026-3212Description: This module integrates the Tagify JavaScript library to enhance taxonomy entity reference widgets. The module does not sufficiently sanitise user-supplied input before rendering it inside JavaScript template strings within the Tagify widget. This allows arbitrary JavaScript execution in the browser when a user creates or edits content.Solution: Install the latest version: If you use the Tagify module, upgrade to Tagify 1.2.49 or later. Reported By:  David López (akalam) Mingsong (mingsong) provisional member of the Drupal Security Team Fixed By:  David López (akalam) David Galeano (gxleano) Mingsong (mingsong) provisional member of the Drupal Security Team Coordinated By:  Damien McKenna (damienmckenna) of the Drupal Security Team Dan Smith (galooph) of the Drupal Security Team Greg Knaddison (greggles) of the Drupal Security Team Drew Webber (mcdruid) of the Drupal Security Team Jess (xjm) of the Drupal Security Team