View online: https://www.drupal.org/sa-contrib-2026-023

Project: Calculation Fields [1] Date: 2026-March-04 Security risk: *Moderately critical* 14 ∕ 25 AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon [2] Vulnerability: Cross-site Scripting

Affected versions: <1.0.4 CVE IDs: CVE-2026-3528 Description:  This module extends the Drupal form API adding "Calculation element" form element types, which can evaluate a maths expression. It offers webform integration.

The module doesn't sufficiently validate user input; this could be exploited to achieve Information Disclosure or Cross-site Scripting (XSS).

Solution:  Install the latest version:

* If you use the Calculation fields module, upgrade to Calculation fields 1.0.4 [3]

Reported By:  * Drew Webber (mcdruid) [4] of the Drupal Security Team

Fixed By:  * Joao Paulo Constantino (joaopauloc.dev) [5]

Coordinated By:  * Greg Knaddison (greggles) [6] of the Drupal Security Team * Drew Webber (mcdruid) [7] of the Drupal Security Team * Juraj Nemec (poker10) [8] of the Drupal Security Team

------------------------------------------------------------------------------ Contribution record [9]

[1] https://www.drupal.org/project/calculation_fields [2] https://www.drupal.org/security-team/risk-levels [3] https://www.drupal.org/project/calculation_fields/releases/1.0.4 [4] https://www.drupal.org/u/mcdruid [5] https://www.drupal.org/u/joaopaulocdev [6] https://www.drupal.org/u/greggles [7] https://www.drupal.org/u/mcdruid [8] https://www.drupal.org/u/poker10 [9] https://new.drupal.org/contribution-record?source_link=https%3A//www.drupal....