DRUPAL-CONTRIB-2026-023

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/calculation_fields/DRUPAL-CONTRIB-2026-023.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-023

Aliases

CVE-2026-3528

Published

2026-03-04T17:58:55Z

Modified

2026-03-04T19:02:25.635524Z

Summary

[none]

Details

This module extends the Drupal form API adding "Calculation element" form element types, which can evaluate a maths expression. It offers webform integration.

The module doesn't sufficiently validate user input; this could be exploited to achieve Information Disclosure or Cross-site Scripting (XSS).

References

https://www.drupal.org/sa-contrib-2026-023

Credits

- Drew Webber (mcdruid)
- - https://www.drupal.org/u/mcdruid

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/calculation_fields

Package

Name: drupal/calculation_fields
Purl: pkg:composer/drupal/calculation_fields

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

1.0.4

Database specific

{
    "constraint": "<1.0.4"
}

Database specific

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/calculation_fields/DRUPAL-CONTRIB-2026-023.json"

affected_versions

"<1.0.4"