—
DRUPAL-CONTRIB-2026-074
Details
The Events, Conditions, Actions (ECA) module's Render submodule enables you to build render arrays and render inline Twig templates as part of no-code ECA models.
The module doesn't sufficiently sanitize template code when rendering, which can lead to information disclosure.
This vulnerability is mitigated by the fact that a site must be running an ECA model that uses the "Render: Twig" action on a data flow.
Are you affected?
Enter the version of the package you're using.
Affected packages
Packagist:https://packages.drupal.org/8 / drupal/eca
Introduced in:
0 Fixed in: 2.1.20 Upgrade drupal/eca to 2.1.20 or newer (ecosystem packagist:https://packages.drupal.org/8).