CVE-2026-15083
Received
Received - Intake
Object Injection in Drupal ECA Module
Vulnerability report for CVE-2026-15083, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-10
Last updated on: 2026-07-10
Assigner: Drupal.org
Description
Description
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| drupal | eca_event_condition_action | From 0.0.0 (inc) to 2.1.20 (inc) |
| drupal | eca_event_condition_action | From 3.0.0 (inc) to 3.0.12 (inc) |
| drupal | eca_event_condition_action | From 3.1.0 (inc) to 3.1.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |