Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023

Wed, 2026-03-04 09:58 — Anonymous (not verified)

Project: Calculation FieldsDate: 2026-March-04Security risk: Moderately critical 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:UncommonVulnerability: Cross-site ScriptingAffected versions: <1.0.4CVE IDs: CVE-2026-3528Description: This module extends the Drupal form API adding "Calculation element" form element types, which can evaluate a maths expression. It offers webform integration.
The module doesn't sufficiently validate user input; this could be exploited to achieve Information Disclosure or Cross-site Scripting (XSS).Solution: Install the latest version:

If you use the Calculation fields module, upgrade to Calculation fields 1.0.4

Reported By:

Drew Webber (mcdruid) of the Drupal Security Team

Fixed By:

Joao Paulo Constantino (joaopauloc.dev)

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team
Juraj Nemec (poker10) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-023

Search form

Calculation Fields - Moderately critical - Cross-site Scripting - SA-CONTRIB-2026-023