Basket Security Update Fixes Highly Critical PHP Object Injection Flaw
Security maintainers have released version 2.1.17 of Drupal AlternativeCommerce (Basket) to address a highly critical vulnerability that could lead to PHP Object Injection and, under certain conditions, arbitrary PHP code execution. The issue is documented in Drupal security advisory SA-CONTRIB-2026-038, published on 27 May 2026, and assigned CVE-2026-9726. The advisory affects all Basket releases earlier than version 2.1.17.
The Drupal Security Team assigned the vulnerability a risk score of 22 out of 25 and classified it as Highly Critical. According to the advisory, the module does not sufficiently sanitise user-supplied data before passing it to PHP's unserialize() function. An attacker can supply a crafted payload and trigger PHP Object Injection.
The advisory states that arbitrary PHP code execution may occur if a viable gadget chain exists within the site's codebase or installed dependencies. While the Drupal Security Team classifies the issue as arbitrary PHP code execution, exploitability is currently rated as theoretical and no public exploit information accompanies the advisory.
Additional context appears in the release notes for Basket 2.1.17, where maintainers describe one of the fixes as addressing "unsafe payInfo deserialization in payment page." Although the advisory does not identify the affected component, the release notes suggest that the vulnerability involved deserialisation of a value named payInfo within the payment workflow.
The same release also introduces CSRF token validation for Basket API actions and additional hardening around payment callback order finalisation. However, the assigned CVE and security advisory relate specifically to the deserialisation issue rather than those additional security improvements.
Site owners running Basket versions earlier than 2.1.17 are advised to upgrade to the fixed release. The advisory does not disclose further implementation details, affected routes, or patch mechanics.
The vulnerability was reported by Drew Webber (mcdruid) of the Drupal Security Team. The fix was credited to Helena Zajika and Webber, while coordination was provided by Greg Knaddison (greggles), Dave Long (longwave), and Drew Webber on behalf of the Drupal Security Team.


