CVE-2026-9726

Name of the Vulnerable Software and Affected Versions Basket versions prior to 2.1.17

Description The Basket module, which provides e-commerce and checkout functionality for Drupal sites, fails to sufficiently sanitize user-supplied data before it is processed by the PHP unserialize() function. This allows an attacker to provide a crafted payload to trigger PHP Object Injection, a process where untrusted data is used to instantiate objects. If a viable gadget chain—a sequence of existing code fragments—is present in the site codebase or dependencies, this can lead to arbitrary PHP code execution.

Recommendations Update to version 2.1.17.