Date: 
2026-July-08
Vulnerability: 
Information disclosure
Affected versions: 
<2.1.20 || >=3.0.0 <3.0.12 || >=3.1.0 <3.1.4
CVE IDs: 
CVE-2026-15083
Description: 

The Events, Conditions, Actions (ECA) module's Render submodule enables you to build render arrays and render inline Twig templates as part of no-code ECA models.

The module doesn't sufficiently sanitize template code when rendering, which can lead to information disclosure.

This vulnerability is mitigated by the fact that a site must be running an ECA model that uses the "Render: Twig" action on a data flow.

Solution: 

Install the latest version:

  • If you use the ECA 3.1 for Drupal 10.x or 11.x, upgrade to ECA 3.1.4
  • If you use the ECA 3.0 for Drupal 10.x or 11.x, upgrade to ECA 3.0.12
  • If you use the ECA 1.2 for Drupal 10.x or 11.x, upgrade to ECA 2.1.20
Reported By: 
Coordinated By: