Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038

Project:

Drupal AlternativeCommerce (Basket)

Date:

2026-May-27

Security risk:

Highly critical 22 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:All

Vulnerability:

Arbitrary PHP code execution

Affected versions:

<2.1.17

CVE IDs:

CVE-2026-9726

Description:

The Basket module enables e-commerce and checkout functionality for Drupal sites.

The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize().

An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the site codebase or installed dependencies, this can result in arbitrary PHP code execution.

Solution:

Install the latest version:

If you use the Basket module, upgrade to Basket 2.1.17.

Reported By:

Drew Webber (mcdruid) of the Drupal Security Team

Fixed By:

Helena Zajika (helena zajika)
Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Dave Long (longwave) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team

Contribution record

Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038

Contact and more information

Contributing organizations for this advisory

News items

Our community

Documentation

Drupal code base

Governance of community