Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.
AnalysisAI
Cross-site scripting (XSS) in Drupal Calculation Fields module versions prior to 1.0.4 permits remote attackers to inject arbitrary JavaScript into dynamically generated web pages, enabling session hijacking, credential theft, and malware distribution against users viewing affected pages. The vulnerability stems from improper input neutralization during calculation field rendering, affecting all installations running Calculation Fields 0.0.0 through 1.0.3. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
The Drupal Calculation Fields module (CPE: cpe:2.3:a:drupal:calculation_fields:*:*:*:*:*:*:*:*) is a contributed module for the Drupal content management system that allows administrators to define custom calculated field values. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic reflective or stored XSS flaw where user-controlled or calculation-derived data is rendered into HTML output without proper escaping or sanitization. When calculation field logic processes user input or external data sources, the resulting values are written to the page DOM without sufficient output encoding, allowing malicious payloads to execute in the context of the victim's browser session with the privileges of the authenticated Drupal user.
RemediationAI
Upgrade Drupal Calculation Fields to version 1.0.4 or later immediately (see Drupal security advisory at https://www.drupal.org/sa-contrib-2026-023 for patch delivery). Site administrators should apply the update through Drupal's module management interface or manually via Composer/Drush. Until patching can be completed, implement defense-in-depth measures: enforce Content Security Policy (CSP) headers with script-src restrictions to mitigate stored XSS impact, disable the Calculation Fields module if not actively in use, restrict administrative access to calculation field configuration, and conduct a content audit to identify and remove any malicious payloads in existing calculated field values. Monitor Drupal logs for suspicious calculation field input patterns and user access anomalies post-patch.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16381