Computing

New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

News Room
News Room
New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

Ravie LakshmananApr 14, 2026Vulnerability / DevSecOps

Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution.

The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below –

  • CVE-2026-40176 (CVSS score: 7.8) – An improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer.
  • CVE-2026-40261 (CVSS score: 8.8) – An improper input validation vulnerability stemming from inadequate escaping that could allow an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.

In both cases, Composer would execute these injected commands even if Perforce VCS is not installed, the maintainers noted in an advisory.

The vulnerabilities affect the following versions –

  • >= 2.3, < 2.9.6 (Fixed in version 2.9.6)
  • >= 2.0, < 2.2.27 (Fixed in version 2.2.27)

If immediate patching is not an option, it’s advised to inspect composer.json files before running Composer and verify that Perforce-related fields contain valid values. It’s also recommended to only use trusted Composer repositories, run Composer commands on projects from trusted sources, and avoid installing dependencies using the “–prefer-dist” or the “preferred-install: dist” configuration setting.

Composer said it scanned Packagist.org and did not find any evidence of the aforementioned vulnerabilities being exploited by threat actors by publishing packages with malicious Perforce information. A new release is expected to be shipped for Private Packagist Self-Hosted customers.

“As a precaution, publication of Perforce source metadata has been disabled on Packagist.org since Friday, April 10th, 2026,” it said. “Composer installations should be updated immediately regardless.”

Share This Article
Previous Article 4 Critical Reasons OpenClaw Is the Most Overhyped AI Tool Right Now 4 Critical Reasons OpenClaw Is the Most Overhyped AI Tool Right Now
Next Article Trump Mobile revamped its entire website for a phone that still doesn’t exist Trump Mobile revamped its entire website for a phone that still doesn’t exist
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Latest News

These Are The 5 Best OLED TV Deals You Should Be Looking At In April 2026 – BGR
These Are The 5 Best OLED TV Deals You Should Be Looking At In April 2026 – BGR
News
Opinion: Make Democracy capitalist again
Opinion: Make Democracy capitalist again
Computing
NAACP sues Musk’s xAI, alleging illegal air pollution
NAACP sues Musk’s xAI, alleging illegal air pollution
News
GNOME Mutter 50.1 Fixes Performance Regression For Some NVIDIA Driver Versions
GNOME Mutter 50.1 Fixes Performance Regression For Some NVIDIA Driver Versions
Computing
Lost your password?