JSON Field - Critical - Cross Site Scripting - SA-CONTRIB-2025-106
Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal JSON Field allows Cross-Site Scripting (XSS).This issue affects JSON Field: from 0.0.0 before 1.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Drupal JSON Field module before 1.5 fails to sanitize output in field formatters, enabling stored XSS attacks.
Vulnerability
Overview
The JSON Field module for Drupal, which allows storage and display of JSON data via optional third-party libraries, contains a cross-site scripting (XSS) vulnerability due to improper neutralization of input during web page generation [1]. The module does not sufficiently filter data when using certain included field formatters, allowing malicious content to be rendered unsanitized [2].
Exploitation
An attacker with the ability to input or modify JSON field content can inject arbitrary JavaScript or HTML. When other users view the affected field formatter output, the injected script executes in their browser session. No special privileges beyond content creation or editing are required, depending on the site's permissions configuration [2].
Impact
Successful exploitation leads to stored XSS, enabling an attacker to perform actions on behalf of the victim, steal session cookies, redirect users to malicious sites, or deface pages. The vulnerability affects all versions of the JSON Field module from 0.0.0 up to, but not including, version 1.5 [1][2].
Mitigation
The Drupal security advisory (SA-CONTRIB-2025-106) recommends upgrading to JSON Field 8.x-1.5 or later, which contains the necessary input sanitization fixes [2]. No workarounds are documented; applying the update is the only confirmed mitigation.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
drupal/json_fieldPackagist | < 1.5 | 1.5 |
Affected products
2- Range: <1.5
- Drupal/JSON Fieldv5Range: 0.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-m3f2-xjgc-2wp2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-10926ghsaADVISORY
- www.drupal.org/sa-contrib-2025-106ghsaWEB
News mentions
0No linked articles in our index yet.