Two high-severity safety vulnerabilities have been disclosed in Composer, a bundle supervisor for PHP, that, if efficiently exploited, may end in arbitrary command execution.
The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (model management software program) driver. Particulars of the 2 flaws are under –
- CVE-2026-40176 (CVSS rating: 7.8) – An improper enter validation vulnerability that might permit an attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository to inject arbitrary instructions, leading to command execution within the context of the consumer working Composer.
- CVE-2026-40261 (CVSS rating: 8.8) – An improper enter validation vulnerability stemming from insufficient escaping that might permit an attacker to inject arbitrary instructions by means of a crafted supply reference containing shell metacharacters.
In each circumstances, Composer would execute these injected instructions even when Perforce VCS isn’t put in, the maintainers famous in an advisory.
The vulnerabilities have an effect on the next variations –
- >= 2.3, < 2.9.6 (Mounted in model 2.9.6)
- >= 2.0, < 2.2.27 (Mounted in model 2.2.27)
If rapid patching isn’t an choice, it is suggested to examine composer.json information earlier than working Composer and confirm that Perforce-related fields comprise legitimate values. It is also really helpful to solely use trusted Composer repositories, run Composer instructions on tasks from trusted sources, and keep away from putting in dependencies utilizing the “–prefer-dist” or the “preferred-install: dist” configuration setting.
Composer stated it scanned Packagist.org and didn’t discover any proof of the aforementioned vulnerabilities being exploited by risk actors by publishing packages with malicious Perforce data. A brand new launch is anticipated to be shipped for Non-public Packagist Self-Hosted clients.
“As a precaution, publication of Perforce supply metadata has been disabled on Packagist.org since Friday, April tenth, 2026,” it stated. “Composer installations ought to be up to date instantly regardless.”
