Skip to main content

Drupal Alternativecommerce Basket

1 CVEs product

Monthly

CVE-2026-9726 PHP CRITICAL PATCH Act Now

PHP object injection in the Drupal AlternativeCommerce (Basket) contributed module (all versions up to and including 2.1.17) allows remote unauthenticated attackers to modify dynamically-determined object attributes and inject crafted objects into the application. Successful exploitation can lead to code execution or full compromise of the Drupal site, with CVSS 3.1 scoring it 9.8 (Critical). No public exploit identified at time of analysis, and EPSS is low at 0.16% (6th percentile), indicating no observed exploitation activity yet despite the high severity rating.

Code Injection Drupal Alternativecommerce Basket
NVD
CVSS 3.1
9.8
EPSS
0.2%
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

PHP object injection in the Drupal AlternativeCommerce (Basket) contributed module (all versions up to and including 2.1.17) allows remote unauthenticated attackers to modify dynamically-determined object attributes and inject crafted objects into the application. Successful exploitation can lead to code execution or full compromise of the Drupal site, with CVSS 3.1 scoring it 9.8 (Critical). No public exploit identified at time of analysis, and EPSS is low at 0.16% (6th percentile), indicating no observed exploitation activity yet despite the high severity rating.

Code Injection Drupal Alternativecommerce Basket
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy