Description
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.
Published: 2026-03-26
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting
Action: Patch Immediately
AI Analysis

Impact

This vulnerability occurs when user input is inserted into output without proper neutralization during web page generation in the Drupal Calculation Fields module. The flaw enables attackers to inject malicious scripts that execute in a victim’s browser, potentially leading to session theft, credential compromise, or the execution of arbitrary code. The weakness is mapped to CWE‑79 and carries a CVSS base score of 6.1, reflecting a moderate severity.

Affected Systems

The Drupal Calculation Fields module is vulnerable in all releases from the initial 0.0.0 version up to, but not including, 1.0.4. Administrators should verify the version of the module installed on all sites that use the Calculation Fields feature.

Risk and Exploitability

The EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation at present. Based on the description, it is inferred that an attacker could inject malicious script via the module’s input interface; the script would be rendered when any user views the affected content. No explicit authentication requirement is stated, so it is assumed that the vulnerability can be exercised without special privileges. Administrators should assess whether public‑facing sites run vulnerable versions and plan remediation accordingly.

Generated by OpenCVE AI on April 2, 2026 at 05:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Calculation Fields to version 1.0.4 or newer

Generated by OpenCVE AI on April 2, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.drupal.org/sa-contrib-2026-023 cve-icon cve-icon
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Joaopaulocdev
Joaopaulocdev calculation Fields
CPEs cpe:2.3:a:joaopaulocdev:calculation_fields:*:*:*:*:*:drupal:*:*
Vendors & Products Joaopaulocdev
Joaopaulocdev calculation Fields

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Drupal
Drupal calculation Fields
Vendors & Products Drupal
Drupal calculation Fields

Thu, 26 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.
Title Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023
Weaknesses CWE-79
References

Subscriptions

Drupal Calculation Fields
Joaopaulocdev Calculation Fields
cve-icon MITRE

Status: PUBLISHED

Assigner: drupal

Published:

Updated: 2026-03-27T18:11:29.380Z

Reserved: 2026-03-04T16:41:56.653Z

Link: CVE-2026-3528

cve-icon Vulnrichment

Updated: 2026-03-27T18:10:31.913Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:08.890

Modified: 2026-04-01T15:44:18.650

Link: CVE-2026-3528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:28Z

Weaknesses