—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Arbitrary PHP Code Execution Vulnerability in Drupal AlternativeCommerce (Basket) Module

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Drupal AlternativeCommerce (Basket) versions prior to 2.1.17

Overview

A vulnerability has been reported in Drupal AlternativeCommerce (Basket) Module which could allow an attacker to execute arbitrary PHP code on the targeted system.

Target Audience:

Individuals and end-user organizations using the affected Drupal module.

Risk Assessment:

High risk of arbitrary code execution, unauthorized access and modification, and full system compromise.

Impact Assessment:

Potential for data exposure and theft, unauthorized access, website defacement, and disruption of services.

Description

Drupal is an open-source, content management system (CMS) which allows individuals and organizations to create, manage and maintain websites and web applications.

This vulnerability exists in Drupal AlternativeCommerce (Basket) Module due to insufficient sanitization of user-supplied data before it is passed to PHPs unserialize() function. An attacker could exploit this by sending specially crafted requests to trigger PHP Object Injection.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary PHP code on the targeted system.

Solution

Upgrade to the latest versions as mentioned in the security advisories:

https://www.drupal.org/sa-contrib-2026-038

Vendor Information

Drupal

https://www.drupal.org

References

Drupal

https://www.drupal.org/sa-contrib-2026-038

CVE Name

CVE-2026-9726

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmogOyIACgkQ3jCgcSdc

ys+KIBAAnNpRJvK+RAwCq3O4GM+zmFC+OBqBHelHnorls3uiK8ed6ivbLr/9ACIa

z5tbspyPGKGbXnwUFtYVAJQCWojlg+0s/Tq0v3bJ/HgUyTAxsbg4Ds1cq6aWNQ8J

k4TRuEyIP3uWRvpCShPhzUDT3RWsAtiI67vAnF1bjcCXYrl5aew3qihkHIt1q9bw

e+lJ2zeHteBzJpAPrpBFGVSosqU0y3BP08AAfk258LY00Qs1c9sRpeIEU76Lp8mX

VWcClsMHSUaWRX7V9NBZ/6iwslnTHGKjwc6v3lY8FWzbcHWPMxaur9Khe/PtLtAA

y24k4+eC75eYmUCwW7njiQk9Y5UWQ45FHu3ioUkgBkmOsKdI907MqB0L33z1De46

TGCK5CaePVoPgRH+WBPMlL4xAXNEKpXqS5O4cR2V/WB8Ih13STp0ewTrnY5DzWOD

wbVMQ9x3MGG/g8lVyGgwe+IbuS7Nv/t2Uv50Rr70La/qDhbkPBb7BuhHKR32ocdr

HWhGS2BSBg1+41pDuZloJ91J7HoHNdObT+kGu4dPxBgqdD44VLNbYw5pomKWJ252

Gpy9svcW9LWizYk3JQ+ymsHX1Kk0fXyDlB7T7ay83WwbFcTJ2czaJ8CKy+jDHyy+

vaSN3ZyPpDvawvLntghVB+pKfLt95C52PJlkG4VptQsrpXcjQKo=

=nbAo

—–END PGP SIGNATURE—–