Full Report
Drupal security advisory (AV26-518)
Analysis Summary
# Vulnerability: Drupal AlternativeCommerce (Basket) Arbitrary PHP Code Execution
## CVE Details
- **CVE ID:** Not explicitly listed in the advisory (Referenced as SA-CONTRIB-2026-038)
- **CVSS Score:** Critical (Numerical score not provided, but labeled "Highly Critical" by Drupal)
- **CWE:** CWE-94 (Improper Control of Generation of Code - Remote Code Execution)
## Affected Systems
- **Products:** Drupal AlternativeCommerce (Basket) module
- **Versions:** All versions prior to 2.1.17
- **Configurations:** Systems running the AlternativeCommerce contribution module on Drupal core.
## Vulnerability Description
The AlternativeCommerce (Basket) module for Drupal fails to sufficiently sanitize user-supplied input, leading to a Remote Code Execution (RCE) vulnerability. An attacker can leverage this flaw to execute arbitrary PHP code on the underlying server. This type of vulnerability typically occurs when input is passed into functions such as `eval()` or used in insecure deserialization processes without proper validation.
## Exploitation
- **Status:** PoC status not confirmed; no reported exploitation in the wild at the time of advisory.
- **Complexity:** Low (Typically requires minimal specialized knowledge if the endpoint is exposed).
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to database and system files)
- **Integrity:** High (Ability to modify any data or system files)
- **Availability:** High (Ability to crash the server or delete data)
## Remediation
### Patches
The Drupal security team recommends upgrading to the following version:
- **AlternativeCommerce (Basket) 2.1.17**
### Workarounds
- If an immediate update is not possible, the primary workaround is to **uninstall** the AlternativeCommerce (Basket) module until the patch can be applied.
## Detection
- **Indicators of compromise:** Monitor web server logs for unusual POST requests to AlternativeCommerce endpoints, specifically those containing PHP tags (`<?php`) or unexpected serialized strings.
- **Detection methods and tools:** Use Drupal’s internal security review tools or audit the module directory to ensure no version lower than 2.1.17 is active.
## References
- hxxps[://]www[.]drupal[.]org/sa-contrib-2026-038
- hxxps[://]www[.]drupal[.]org/security
- hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/drupal-security-advisory-av26-518