Skip to main content

Calculation Fields EUVDEUVD-2026-16381

| CVE-2026-3528 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 drupal
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 26, 2026 - 20:31 euvd
EUVD-2026-16381
Analysis Generated
Mar 26, 2026 - 20:31 vuln.today
CVE Published
Mar 26, 2026 - 20:03 nvd
MEDIUM 6.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal Calculation Fields allows Cross-Site Scripting (XSS).This issue affects Calculation Fields: from 0.0.0 before 1.0.4.

AnalysisAI

Cross-site scripting (XSS) in Drupal Calculation Fields module versions prior to 1.0.4 permits remote attackers to inject arbitrary JavaScript into dynamically generated web pages, enabling session hijacking, credential theft, and malware distribution against users viewing affected pages. The vulnerability stems from improper input neutralization during calculation field rendering, affecting all installations running Calculation Fields 0.0.0 through 1.0.3. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The Drupal Calculation Fields module (CPE: cpe:2.3:a:drupal:calculation_fields:*:*:*:*:*:*:*:*) is a contributed module for the Drupal content management system that allows administrators to define custom calculated field values. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic reflective or stored XSS flaw where user-controlled or calculation-derived data is rendered into HTML output without proper escaping or sanitization. When calculation field logic processes user input or external data sources, the resulting values are written to the page DOM without sufficient output encoding, allowing malicious payloads to execute in the context of the victim's browser session with the privileges of the authenticated Drupal user.

RemediationAI

Upgrade Drupal Calculation Fields to version 1.0.4 or later immediately (see Drupal security advisory at https://www.drupal.org/sa-contrib-2026-023 for patch delivery). Site administrators should apply the update through Drupal's module management interface or manually via Composer/Drush. Until patching can be completed, implement defense-in-depth measures: enforce Content Security Policy (CSP) headers with script-src restrictions to mitigate stored XSS impact, disable the Calculation Fields module if not actively in use, restrict administrative access to calculation field configuration, and conduct a content audit to identify and remove any malicious payloads in existing calculated field values. Monitor Drupal logs for suspicious calculation field input patterns and user access anomalies post-patch.

Share

EUVD-2026-16381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy