Object Injection Vulnerability in Drupal ECA: Event - Condition - Action
CVE-2026-15083

Currently unrated

Key Information:

Vendor

Drupal

Vendor
CVE Published:
10 July 2026

What is CVE-2026-15083?

The vulnerability in Drupal's ECA: Event - Condition - Action allows an attacker to manipulate object attributes improperly, leading to potential object injection. This affects versions 0.0.0 to 2.1.20, 3.0.0 to 3.0.12, and 3.1.0 to 3.1.4. Users are advised to assess their installation and apply the necessary updates to mitigate risks associated with this vulnerability.

Affected Version(s)

ECA: Event - Condition - Action 0.0.0 < 2.1.20

ECA: Event - Condition - Action 3.0.0 < 3.0.12

ECA: Event - Condition - Action 3.1.0 < 3.1.4

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Changhai Qi (qichanghai)
Jürgen Haas (jurgenhaas)
Neil Drumm (drumm)
Greg Knaddison (greggles)
Dave Long (longwave)
.