DRUPAL-CONTRIB-2026-038

See a problem?

Import Source

https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/basket/DRUPAL-CONTRIB-2026-038.json

JSON Data

https://api.osv.dev/v1/vulns/DRUPAL-CONTRIB-2026-038

Aliases

CVE-2026-9726

Published

2026-05-27T18:32:18Z

Modified

2026-05-27T20:45:06.391645855Z

Summary

[none]

Details

The Basket module enables e-commerce and checkout functionality for Drupal sites.

The module does not sufficiently sanitize user-supplied data before passing it to PHP's unserialize().

An attacker can supply a crafted payload and trigger PHP Object Injection. If a viable gadget chain exists in the site codebase or installed dependencies, this can result in arbitrary PHP code execution.

References

https://www.drupal.org/sa-contrib-2026-038

Credits

- Drew Webber (mcdruid)
- - https://www.drupal.org/u/mcdruid

Affected packages

Packagist:https://packages.drupal.org/8 / drupal/basket

Package

Name: drupal/basket
Purl: pkg:composer/drupal%2Fbasket

Affected ranges

Type

ECOSYSTEM

Events

Introduced

Fixed

2.1.17

Database specific

{
    "constraint": "<2.1.17"
}

Database specific

affected_versions

"<2.1.17"

source

"https://github.com/DrupalSecurityTeam/drupal-advisory-database/blob/main/advisories/basket/DRUPAL-CONTRIB-2026-038.json"