CVE-2025-6677 is a high-severity Cross-Site Scripting (XSS) vulnerability identified in the Drupal Paragraphs module, specifically affecting the Paragraphs table component versions from 2.0.0 up to but not including 2.0.5. The vulnerability is classified under CWE-79, which involves improper neutralization of input during web page generation. This flaw allows an attacker to inject malicious scripts into web pages generated by the vulnerable Drupal module. When a user visits a compromised page, the injected script executes in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the user. The CVSS v3.1 base score of 7.1 reflects a high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The impact primarily affects confidentiality (C:H), with limited integrity impact (I:L) and no availability impact (A:N). No known exploits are currently reported in the wild, and no official patches have been linked yet, indicating that organizations using affected versions should prioritize mitigation. The vulnerability arises from insufficient sanitization or encoding of user-supplied input before rendering it in the Paragraphs table, a common Drupal content structuring feature. This flaw can be exploited remotely by unauthenticated attackers, making it a significant risk for websites relying on this module for content management and display.

For European organizations, this vulnerability poses a substantial risk, especially for those using Drupal-based websites with the Paragraphs module version 2.0.0 to 2.0.4. Exploitation could lead to unauthorized disclosure of sensitive information, including user credentials and session tokens, potentially facilitating further attacks such as account takeover or data breaches. Given the widespread use of Drupal in government, education, and enterprise sectors across Europe, the impact could extend to critical public-facing services and private sector platforms. The confidentiality breach could undermine user trust and lead to regulatory penalties under GDPR due to inadequate protection of personal data. Additionally, the integrity impact, though limited, could allow attackers to manipulate displayed content, potentially spreading misinformation or phishing content. The absence of availability impact means service disruption is unlikely, but the reputational damage and compliance risks remain significant. Organizations with high-traffic websites or those handling sensitive user data should consider this vulnerability a priority for remediation to avoid exploitation.

Organizations should immediately identify all Drupal installations using the Paragraphs module, specifically versions 2.0.0 through 2.0.4. Until an official patch is released, implement the following mitigations: 1) Apply strict Content Security Policy (CSP) headers to restrict script execution and reduce the impact of injected scripts. 2) Employ web application firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting the Paragraphs table. 3) Conduct thorough input validation and output encoding on any user-generated content rendered via the Paragraphs module, potentially using Drupal's built-in sanitization APIs as a temporary workaround. 4) Monitor web server and application logs for unusual requests or script injection attempts. 5) Educate site administrators and content editors about the risk of XSS and encourage cautious handling of user input. Once Drupal releases an official patch or module update, prioritize applying it promptly. Additionally, review and enhance incident response plans to address potential exploitation scenarios involving XSS attacks.