VDB
KO

DRUPAL-CONTRIB-2026-074

Details

The Events, Conditions, Actions (ECA) module's Render submodule enables you to build render arrays and render inline Twig templates as part of no-code ECA models.

The module doesn't sufficiently sanitize template code when rendering, which can lead to information disclosure.

This vulnerability is mitigated by the fact that a site must be running an ECA model that uses the "Render: Twig" action on a data flow.

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/eca
Introduced in: 0 Fixed in: 2.1.20

Upgrade drupal/eca to 2.1.20 or newer (ecosystem packagist:https://packages.drupal.org/8).

References