Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, which, if successfully exploited, could lead to arbitrary command execution.
The vulnerabilities are described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of both the flaws are below –
- CVE-2026-40176 (CVSS Score: 7.8) – An improper input validation vulnerability that could allow an attacker to control the repository configuration in malicious composer.json declares a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer.
- CVE-2026-40261 (CVSS Score: 8.8) – An improper input validation vulnerability resulting from insufficient escaping that could allow an attacker to inject arbitrary commands via a crafted source context containing shell metacharacters.
In both cases, Composer will execute these injected commands even if Perforce VCS is not installed, the maintainers noted in an advisory.
The vulnerabilities affect the following versions –
- >= 2.3, < 2.9.6 (fixed in version 2.9.6)
- >= 2.0, < 2.2.27 (fixed in version 2.2.27)
If immediate patching is not an option, it is advisable to inspect the composer.json files before running composer and verify that Perforce-related fields contain valid values. It is also recommended to only use trusted Composer repositories, run composer commands on projects from trusted sources, and avoid installing dependencies using the “–prefer-dist” or “preferred-install:dist” configuration setting.
Composer said it scanned PACagist.org and found no evidence of threat actors exploiting the above vulnerabilities by publishing packages with malicious Perforce information. A new release is expected to be shipped to Private Packager self-hosted customers.
“As a precaution, publishing of Perforce source metadata on PACagist.org has been disabled effective Friday, April 10, 2026,” it says. “Composer installation should be updated immediately regardless.”
