CVE-2026-3528

CVE-2026-3528: Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023

Vendor Drupal
Product Calculation Fields
Weakness CWE-79 · XSS
Published March 26, 2026
Last update March 27, 2026

CVSS base score

What the vulnerability does

01Description

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.

Explanation of Vulnerability in Simple Terms

02Summary

The Calculation Fields module for Drupal contains a cross-site scripting (XSS) vulnerability in versions before 1.0.4. An attacker can inject malicious scripts into calculation field inputs that execute in the browsers of other users viewing the affected content. This allows theft of session tokens, credential harvesting, or malware distribution. Update to version 1.0.4 or later to patch the vulnerability.

What an attacker can do

03Attacker Capabilities

Inject malicious JavaScript that runs in other users' browsers when they view pages with calculation fields.

Potential impact on your site

04Site Impact

Visitors to pages with compromised calculation fields may have sessions hijacked, credentials stolen, or be redirected to malicious sites.

Conditions required to exploit

05Prerequisites

Ability to create or edit content with calculation fields; no special authentication level specified in available data.

Key dates

06Disclosure timeline

March 26, 2026 CVE published
March 27, 2026 Record updated

Related vulnerabilities

08Related CVE