View online: https://www.drupal.org/sa-contrib-2025-106 Project: JSON Field [1] Date: 2025-September-24 Security risk: *Critical* 15 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Default [2] Vulnerability: Cross Site Scripting Affected versions: <1.5 CVE IDs: CVE-2025-10926 Description:  This module enables you to store and display JSON data using optional 3rd party libraries. The module doesn't sufficiently filter data using some of the included field formatters leading to a Cross-site Scripting (XSS) vulnerability. Solution:  Install the latest version: * If you use the JSON Field module for Drupal 8.x, upgrade to JSON Field 8.x-1.5 [3]. Reported By:  * Ivan (chi) [4] Fixed By:  * Ivan (chi) [5] * Damien McKenna (damienmckenna) [6] of the Drupal Security Team Coordinated By:  * Damien McKenna (damienmckenna) [7] of the Drupal Security Team * Greg Knaddison (greggles) [8] of the Drupal Security Team ------------------------------------------------------------------------------ Contribution record [9] [1] https://www.drupal.org/project/json_field [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/json_field/releases/8.x-1.5 [4] https://www.drupal.org/u/chi [5] https://www.drupal.org/u/chi [6] https://www.drupal.org/u/damienmckenna [7] https://www.drupal.org/u/damienmckenna [8] https://www.drupal.org/u/greggles [9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....