April 15, 2026, By Pierluigi Paganini
Two high-severity flaws in PHP Composer could let attackers run arbitrary commands via malicious repository configs and crafted inputs affecting Perforce VCS.
Two high-severity vulnerabilities in PHP Composer could allow attackers to execute arbitrary commands. PHP Composer is a dependency manager for PHP that helps developers install and manage libraries their projects need. By defining packages in a composer.json file, it automatically downloads and updates them, resolving dependencies. It simplifies development and is widely used with frameworks like Laravel and Symfony.
The flaws impact the Perforce VCS driver and stem from improper input validation and insufficient escaping. By crafting a malicious composer.json or source reference with shell metacharacters, an attacker controlling a repository configuration could run commands on the user’s system.
“Please immediately update Composer to version 2.9.6 or 2.2.27 (LTS) by running composer.phar self-update. The new releases include fixes for two command injection security vulnerabilities in the Perforce VCS driver. CVE-2026-40261 was reported by Koda Reef and CVE-2026-40176 was reported by saku0512.” reads the advisory.
Below are the description for the two flaws:
- CVE-2026-40176 (CVSS score: 7.8) – Improper input validation allows an attacker controlling a malicious composer.json with a Perforce VCS repository to inject arbitrary commands, leading to execution in the context of the user running Composer.
- CVE-2026-40261 (CVSS score: 8.8) – Improper input validation due to insufficient escaping allows an attacker to inject arbitrary commands via a crafted source reference containing shell metacharacters.