Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Network-reachable but high complexity and low-privilege authentication required; limited confidentiality and integrity impact with no availability effect and no scope change.
Primary rating from Vendor (drupal).
CVSS VectorVendor: drupal
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4.
AnalysisAI
Object injection in the Drupal ECA (Event - Condition - Action) contributed module exposes sites running affected versions to limited confidentiality and integrity compromise by authenticated low-privileged users. The vulnerability stems from improperly controlled modification of dynamically-determined object attributes (CWE-915, a mass-assignment class of flaw), allowing a crafted request to inject object properties and influence internal application logic within ECA's event-driven workflow engine. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Drupal account with at least low-privileged access, as confirmed by the CVSS PR:L metric - fully unauthenticated attackers cannot exploit this vulnerability. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 4.2 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N) reflects a constrained but genuine risk: the vulnerability is network-reachable and requires no user interaction, but demands authenticated access at low privilege level and high attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated low-privileged Drupal user - such as a contributor or editor with access to ECA-exposed endpoints - crafts a request that injects unexpected object attributes into a dynamically-constructed ECA object during event processing. By exploiting the insufficient property allowlisting, the attacker manipulates internal object state to read restricted data or alter ECA workflow outcomes such as condition evaluations or action parameters. … |
| Remediation | Upgrade the ECA module to a fixed release per the vendor advisory at https://www.drupal.org/sa-contrib-2026-074. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43078
GHSA-7h4c-w76p-j34c