CVE-2026-9726
Drupal AlternativeCommerce (Basket) - Highly critical - Arbitrary PHP code execution - SA-CONTRIB-2026-038
CVSS Score
9.8
EPSS Score
0.2%
EPSS Percentile
6th
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal AlternativeCommerce (Basket) allows Object Injection. This issue affects Drupal AlternativeCommerce (Basket) versions: from 0.0.0 to 2.1.17.
| CWE | CWE-915 |
| Vendor | drupal |
| Product | drupal alternativecommerce (basket) |
| Ecosystems | |
| Industries | WebMedia |
| Published | Jul 10, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for drupal drupal alternativecommerce (basket)
Be the first to know when new critical vulnerabilities affecting drupal drupal alternativecommerce (basket) are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Drupal / Drupal AlternativeCommerce (Basket)
0.0.0 < 2.1.17
Credits
Drew Webber (mcdruid) Helena Zajika (helena zajika) Drew Webber (mcdruid) Greg Knaddison (greggles) Dave Long (longwave) Drew Webber (mcdruid)