Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below - CVE-2026-40176 (CVSS score: 7.8) - An improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer. CVE-2026-40261 (CVSS score: 8.8) - An improper input validation vulnerability stemming from inadequate escaping that could allow an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. In both cases, Composer would execute these injected commands even if Perforce VCS is not installed, the maintainers noted in an advisory. The vulnerabilities affect the following versions - >= 2.3, < 2.9.6 (Fixed in version 2.9.6) >= 2.0, < 2.2.27 (Fixed in version 2.2.27) If immediate patching is not an option, it's advised to inspect composer.json files before running Composer and verify that Perforce-related fields contain valid values. It's also recommended to only use trusted Composer repositories, run Composer commands on projects from trusted sources, and avoid installing dependencies using the "--prefer-dist" or the "preferred-install: dist" configuration setting. Composer said it scanned Packagist.org and did not find any evidence of the aforementioned vulnerabilities being exploited by threat actors by publishing packages with malicious Perforce information. A new release is expected to be shipped for Private Packagist Self-Hosted customers. "As a precaution, publication of Perforce source metadata has been disabled on Packagist.org since Friday, April 10th, 2026," it said. "Composer installations should be updated immediately regardless."
Critical PHP Composer Flaws Permit Arbitrary Command Execution
Two critical command injection vulnerabilities have been discovered in PHP Composer, the widely used package manager, exposing systems to arbitrary command execution. These high-severity flaws, CVE-2026-40176 and CVE-2026-40261, represent a significant threat, allowing attackers to inject and execute commands even without the Perforce VCS driver being installed. Organizations using PHP Composer must prioritize immediate patching to versions 2.9.6 or 2.2.27 and conduct a thorough inspection of their `composer.json` files for malicious configurations.
- Two high-severity command injection vulnerabilities (CVE-2026-40176, CVE-2026-40261) found in PHP Composer.
- Flaws enable arbitrary command execution on systems, even if Perforce VCS is not installed.
- Urgent patching to versions 2.9.6 or 2.2.27 is required; immediate inspection of composer.json files advised.
Why this matters: These command injection flaws could allow attackers to execute arbitrary code on systems, leading to severe compromise and supply chain risks for PHP-based applications in defense and intelligence sectors.
This disclosure highlights the pervasive risk inherent in third-party dependencies, as a fundamental development tool like Composer can introduce severe supply chain vulnerabilities. For cybersecurity professionals, this underscores the critical need for continuous software composition analysis and robust input validation checks, even in tools not directly exposed to external networks. The ability to achieve arbitrary command execution, regardless of Perforce installation, demonstrates a sophisticated attack vector that could bypass traditional security controls, emphasizing the need for defense-in-depth strategies covering development environments.
