View online: https://www.drupal.org/sa-contrib-2025-084 Project: Paragraphs table [1] Date: 2025-June-25 Security risk: *Moderately critical* 13 ∕ 25 AC:None/A:Admin/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross Site Scripting Affected versions: >=2.0.0 <2.0.5 CVE IDs: CVE-2025-6677 Description: Project Paragraphs table provides a field for a collection table. The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting (XSS) attacks. This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes. Solution: Install the latest version: * If you use the Paragraphs table module 2.x for Drupal 10 or above, please upgrade to paragraphs table 2.0.5 [3] Reported By: * Pierre Rudloff (prudloff) [4] Fixed By: * Joseph Olstad (joseph.olstad) [5] * NGUYEN Bao (lazzyvn) [6] Coordinated By: * Greg Knaddison (greggles) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team [1] https://www.drupal.org/project/paragraphs_table [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/paragraphs_table/releases/2.0.5 [4] https://www.drupal.org/u/prudloff [5] https://www.drupal.org/u/josepholstad [6] https://www.drupal.org/u/lazzyvn [7] https://www.drupal.org/u/greggles [8] https://www.drupal.org/u/poker10