"Ricochet has proven to be a partner that we can depend on to create and maintain a successful drupal-based CMS system. Their deep experience in drupal has allowed them to identify existing plugins and to quickly implement custom logic when required to efficiently implement our international content management workflow and site. Ricochet has shown their commitment to our success again and again, working collaboratively across our team to make it happen, and putting in the extra effort when needed to meet our business goals."
—David Saffren, Blurb.com

Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038

Wed, 2026-05-27 11:32 — Anonymous (not verified)

Project: Drupal AlternativeCommerce (Basket)Date: 2026-May-27Security risk: Highly critical 22 ∕ 25 AC:None/A:None/CI:All/II:All/E:Theoretical/TD:AllVulnerability: Arbitrary PHP code executionAffected versions: <2.1.17CVE IDs: CVE-2026-9726Description: The Basket module enables e-commerce and checkout functionality for Drupal sites.
The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize().
An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the site codebase or installed dependencies, this can result in arbitrary PHP code execution.Solution: Install the latest version:

If you use the Basket module, upgrade to Basket 2.1.17.

Reported By:

Drew Webber (mcdruid) of the Drupal Security Team

Fixed By:

Helena Zajika (helena zajika)
Drew Webber (mcdruid) of the Drupal Security Team

Coordinated By:

Greg Knaddison (greggles) of the Drupal Security Team
Dave Long (longwave) of the Drupal Security Team
Drew Webber (mcdruid) of the Drupal Security Team

Path to article https://www.drupal.org/sa-contrib-2026-038

Search form

Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038