CVE-2026-15083 PUBLISHED

ECA: Event - Condition - Action - Less critical - Information disclosure - SA-CONTRIB-2026-074

Assigner: drupal
Reserved: 08.07.2026 Published: 10.07.2026 Updated: 10.07.2026

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4.

Product Status

Vendor Drupal
Product ECA: Event - Condition - Action
Versions
  • affected from 0.0.0 to 2.1.20 (excl.)
  • affected from 3.0.0 to 3.0.12 (excl.)
  • affected from 3.1.0 to 3.1.4 (excl.)

Credits

  • Changhai Qi (qichanghai) finder
  • Jürgen Haas (jurgenhaas) remediation developer
  • Neil Drumm (drumm) coordinator
  • Greg Knaddison (greggles) coordinator
  • Dave Long (longwave) coordinator

References

Problem Types

  • CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE

Impacts

  • CAPEC-586 Object Injection