Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2.CreditsDrew Webber (mcdruid)Anas Mawlawi (anas_maw)Benji Fisher (benjifisher)Drew Webber (mcdruid)Benji Fisher (benjifisher)Drew Webber (mcdruid)Jess (xjm)Referenceshttps://www.drupal.org/sa-contrib-2026-049