What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.
Explanation of Vulnerability in Simple Terms
02Summary
The Calculation Fields module for Drupal contains a cross-site scripting (XSS) vulnerability in versions before 1.0.4. An attacker can inject malicious scripts into calculation field inputs that execute in the browsers of other users viewing the affected content. This allows theft of session tokens, credential harvesting, or malware distribution. Update to version 1.0.4 or later to patch the vulnerability.
What an attacker can do
03Attacker Capabilities
Inject malicious JavaScript that runs in other users' browsers when they view pages with calculation fields.
Potential impact on your site
04Site Impact
Visitors to pages with compromised calculation fields may have sessions hijacked, credentials stolen, or be redirected to malicious sites.
Conditions required to exploit
05Prerequisites
Ability to create or edit content with calculation fields; no special authentication level specified in available data.
Key dates
06Disclosure timeline
March 26, 2026
CVE published
March 27, 2026
Record updated