Improperly Controlled Dynamic Object Modification in Drupal AlternativeCommerce by Drupal
CVE-2026-9726

Currently unrated

Key Information:

Vendor

Drupal

Vendor
CVE Published:
10 July 2026

What is CVE-2026-9726?

The vulnerability in Drupal's AlternativeCommerce module allows for improper control over dynamic object attributes, leading to potential object injection scenarios. Affected versions range from 0.0.0 to 2.1.17, highlighting the importance for users to update to more secure releases. Attackers exploiting this weakness could manipulate object attributes, potentially leading to unauthorized actions and data compromise. It is crucial for Drupal users to assess their implementations and apply necessary updates to mitigate the risks associated with this vulnerability.

Affected Version(s)

Drupal AlternativeCommerce (Basket) 0.0.0 < 2.1.17

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Drew Webber (mcdruid)
Helena Zajika (helena zajika)
Drew Webber (mcdruid)
Greg Knaddison (greggles)
Dave Long (longwave)
Drew Webber (mcdruid)
.