Two high-severity security vulnerabilities have been disclosed in Composer, a PHP package manager, that could allow arbitrary command execution if successfully exploited.
The vulnerability is described as a command injection flaw affecting the Perforce VCS (version control software) driver. Details of the two defects are below.
CVE-2026-40176 (CVSS Score: 7.8) – An improper input validation vulnerability could allow an attacker to control the repository settings in a malicious Composer.json that declares a Perforce VCS repository and inject arbitrary commands, which could result in commands being executed in the context of the user running Composer. CVE-2026-40261 (CVSS Score: 8.8) – Improper input validation vulnerability due to improper escaping could allow an attacker to inject arbitrary commands via a crafted source reference containing shell metacharacters.
In either case, Composer may run these injected commands even if Perforce VCS is not installed, the administrator notes in the advisory.
This vulnerability affects the following versions:
>= 2.3,< 2.9.6 (バージョン 2.9.6 で修正) >= 2.0, < 2.2.27 (fixed in version 2.2.27)
If immediate patching is not an option, we recommend that you inspect your composer.json file to ensure that Perforce-related fields contain valid values before running Composer. We also recommend that you only use trusted Composer repositories, run Composer commands against projects from trusted sources, and do not install dependencies using the “–prefer-dist” or “preferred-install: dist” configuration settings.
Composer said that a scan of Packagist.org found no evidence that threat actors were exploiting the aforementioned vulnerabilities by publishing packages containing malicious Perforce information. New releases will be shipped to Private Packagist self-hosted customers.
“As a precautionary measure, publishing Perforce source metadata on Packagist.org is disabled starting Friday, April 10, 2026,” the company said. “Composer installations should be updated immediately regardless.”
Source link
