PT-2026-56663 · Drupal · Eca: Event - Condition - Action
Changhai Qi
+4
·
Published
2026-07-08
·
Updated
2026-07-10
·
CVE-2026-15083
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
ECA: Event - Condition - Action versions 0.0.0 through 2.1.20
ECA: Event - Condition - Action versions 3.0.0 through 3.0.12
ECA: Event - Condition - Action versions 3.1.0 through 3.1.4
Description
Improperly controlled modification of dynamically-determined object attributes allows Object Injection. Additionally, the Render submodule fails to sufficiently sanitize template code when rendering inline Twig templates as part of no-code models, which can lead to information disclosure. This issue is mitigated if the site is not running an ECA model that utilizes the "Render: Twig" action on a data flow.
Recommendations
Update ECA: Event - Condition - Action to a version later than 2.1.20.
Update ECA: Event - Condition - Action to a version later than 3.0.12.
Update ECA: Event - Condition - Action to a version later than 3.1.4.
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Eca: Event - Condition - Action