PT-2026-56663 · Drupal · Eca: Event - Condition - Action

Changhai Qi

+4

·

Published

2026-07-08

·

Updated

2026-07-10

·

CVE-2026-15083

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions ECA: Event - Condition - Action versions 0.0.0 through 2.1.20 ECA: Event - Condition - Action versions 3.0.0 through 3.0.12 ECA: Event - Condition - Action versions 3.1.0 through 3.1.4
Description Improperly controlled modification of dynamically-determined object attributes allows Object Injection. Additionally, the Render submodule fails to sufficiently sanitize template code when rendering inline Twig templates as part of no-code models, which can lead to information disclosure. This issue is mitigated if the site is not running an ECA model that utilizes the "Render: Twig" action on a data flow.
Recommendations Update ECA: Event - Condition - Action to a version later than 2.1.20. Update ECA: Event - Condition - Action to a version later than 3.0.12. Update ECA: Event - Condition - Action to a version later than 3.1.4.
Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-15083
DRUPAL-CONTRIB-2026-074

Affected Products

Eca: Event - Condition - Action