Two high-severity flaws in PHP Composer could let attackers run arbitrary commands via malicious repository configs and crafted inputs affecting Perforce VCS.
Two high-severity vulnerabilities in PHP Composer could allow attackers to execute arbitrary commands. PHP Composer is a dependency manager for PHP that helps developers install and manage libraries their projects need. By defining packages in a composer.json file, it automatically downloads and updates them, resolving dependencies. It simplifies development and is widely used with frameworks like Laravel and Symfony.
The flaws impact the Perforce VCS driver and stem from improper input validation and insufficient escaping. By crafting a malicious composer.json or source reference with shell metacharacters, an attacker controlling a repository configuration could run commands on the user’s system.
“Please immediately update Composer to version 2.9.6 or 2.2.27 (LTS) by running composer.phar self-update. The new releases include fixes for two command injection security vulnerabilities in the Perforce VCS driver. CVE-2026-40261 was reported by Koda Reef and CVE-2026-40176 was reported by saku0512.” reads the advisory.
Below are the description for the two flaws:
- CVE-2026-40176 (CVSS score: 7.8) – Improper input validation allows an attacker controlling a malicious composer.json with a Perforce VCS repository to inject arbitrary commands, leading to execution in the context of the user running Composer.
- CVE-2026-40261 (CVSS score: 8.8) – Improper input validation due to insufficient escaping allows an attacker to inject arbitrary commands via a crafted source reference containing shell metacharacters.
Both vulnerabilities stem from improper escaping in Composer’s Perforce VCS driver when building shell commands.
CVE-2026-40176 affects the generateP4Command() method, where user-controlled connection parameters (port, user, client) are inserted without sanitization. This allows command injection via a malicious composer.json, but only when running Composer on untrusted root projects, not dependencies.
CVE-2026-40261 impacts the syncCodeBase() method, where an unescaped source reference enables command injection through crafted metadata. It can be exploited via malicious or compromised repositories, even without Perforce installed, especially when installing or updating dependencies from source.
Composer 2.9.6 (mainline) and 2.2.27 (2.2 LTS) address both vulnerabilities.
To mitigate CVE-2026-40261, avoid installing dependencies from source by using –prefer-dist or setting preferred-install to dist, and rely only on trusted repositories. For CVE-2026-40176, review composer.json files carefully, ensuring Perforce fields are valid and running Composer only on trusted projects.
According to the advisory, scans of Packagist.org and Private Packagist found no exploitation attempts. As a precaution, Perforce metadata publishing and the Perforce VCS driver were disabled on April 10, 2026. Private Packagist Self-Hosted users will receive updates and should upgrade Composer promptly and verify metadata.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, PHP Composer)
