Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Project:
Date:
2025-June-25
Security risk:
Vulnerability:
Cross Site Scripting
Affected versions:
>=2.0.0 <2.0.5
CVE IDs:
CVE-2025-6677
Description:
Project Paragraphs table provides a field for a collection table.
The module doesn't sufficiently sanitise certain data attributes allowing Cross Site Scripting (XSS) attacks.
This vulnerability is mitigated by the fact that an attacker must have a role with permission to enter HTML tags containing specific data attributes.
Solution:
Install the latest version:
- If you use the Paragraphs table module 2.x for Drupal 10 or above, please upgrade to paragraphs table 2.0.5
Reported By:
Coordinated By:
- Greg Knaddison (greggles) of the Drupal Security Team
- Juraj Nemec (poker10) of the Drupal Security Team
