CVE-2026-3528 PUBLISHED

Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023

Assigner: drupal
Reserved: 04.03.2026 Published: 26.03.2026 Updated: 26.03.2026

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.

Product Status

Vendor	Drupal
Product	Calculation Fields
Versions	Default: unaffected affected from 0.0.0 to 1.0.4 (excl.)

Credits

Drew Webber (mcdruid) finder
Joao Paulo Constantino (joaopauloc.dev) remediation developer
Greg Knaddison (greggles) coordinator
Drew Webber (mcdruid) coordinator
Juraj Nemec (poker10) coordinator

References

https://www.drupal.org/sa-contrib-2026-023

Problem Types

CWE-79 Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)