View online: https://www.drupal.org/sa-contrib-2025-106
Project: JSON Field [1] Date: 2025-September-24 Security risk: *Critical* 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting
Affected versions: <1.5 CVE IDs: CVE-2025-10926 Description: This module enables you to store and display JSON data using optional 3rd party libraries.
The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting (XSS) vulnerability.
Solution: Install the latest version:
* If you use the JSON Field module for Drupal 8.x, upgrade to JSON Field 8.x-1.5 [3].
Reported By: * Ivan (chi) [4]
Fixed By: * Ivan (chi) [5] * Damien McKenna (damienmckenna) [6] of the Drupal Security Team
Coordinated By: * Damien McKenna (damienmckenna) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team
------------------------------------------------------------------------------ Contribution record [9]
[1] https://www.drupal.org/project/json_field [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/json_field/releases/8.x-1.5 [4] https://www.drupal.org/u/chi [5] https://www.drupal.org/u/chi [6] https://www.drupal.org/u/damienmckenna [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles [9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....