Vulnerability from drupal
Published
2026-03-04 17:59
Modified
2026-03-05 14:03
Summary
Details

The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes.

This vulnerability is mitigated by the fact that an attacker must have a role with the "ga4 configure" (or "administer google analytics ga4 settings") permission.

An attacker with this permission could inject malicious JavaScript via event handlers (such as onload) or override the script source, leading to a Cross-Site Scripting (XSS) attack on all pages where the GA4 script is loaded.

Note: this advisory initially suggested it was fixed in the 1.1.13 release, but the 1.1.13 releaes was missing the fix. Users of this module should switch to the 1.1.14 release.

Credits
Pierre Rudloff (prudloff) www.drupal.org/u/prudloff
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "affected_versions": "\u003c1.1.14"
      },
      "package": {
        "ecosystem": "Packagist:https://packages.drupal.org/8",
        "name": "drupal/ga4_google_analytics"
      },
      "ranges": [
        {
          "database_specific": {
            "constraint": "\u003c1.1.14"
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.1.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "severity": []
    }
  ],
  "aliases": [
    "CVE-2026-3529"
  ],
  "credits": [
    {
      "contact": [
        "https://www.drupal.org/u/prudloff"
      ],
      "name": "Pierre Rudloff (prudloff)"
    }
  ],
  "details": "The Google Analytics GA4 module enables users to add custom attributes to the script tag used to load the Google Analytics library. The module does not sufficiently sanitize these attributes.\n\nThis vulnerability is mitigated by the fact that an attacker must have a role with the \"ga4 configure\" (or \"administer google analytics ga4 settings\") permission.\n\nAn attacker with this permission could inject malicious JavaScript via event handlers (such as onload) or override the script source, leading to a Cross-Site Scripting (XSS) attack on all pages where the GA4 script is loaded.\n\n*Note: this advisory initially suggested it was fixed in the 1.1.13 release, but the 1.1.13 releaes was missing the fix. Users of this module should switch to the 1.1.14 release.*",
  "id": "DRUPAL-CONTRIB-2026-024",
  "modified": "2026-03-05T14:03:05.000Z",
  "published": "2026-03-04T17:59:51.000Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://www.drupal.org/sa-contrib-2026-024"
    }
  ],
  "schema_version": "1.7.0"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.