Composer, the PHP package manager, has fixed two high-severity flaws that could let an attacker trigger arbitrary command execution through malicious Perforce version control data, according to a security advisory from Packagist. The issues affect several Composer releases and were addressed in version 2.9.6 and 2.2.27.
KEY FACTS
- Flaws Two command injection vulnerabilities were disclosed in the Perforce VCS driver.
- CVE IDs The issues are tracked as CVE-2026-40176 and CVE-2026-40261.
- Impact Successful exploitation could run attacker-controlled commands in the context of the user running Composer.
- Affected versions Versions >= 2.3 and < 2.9.6, and >= 2.0 and < 2.2.27, are affected.
- Mitigation Users were urged to update immediately and review composer.json files before running Composer.
CVE-2026-40176 is described as an improper input validation flaw that could let an attacker controlling a repository configuration in a malicious composer.json inject arbitrary commands. CVE-2026-40261 involves inadequate escaping and could allow command injection through a crafted source reference containing shell metacharacters.
The advisory said Composer would execute the injected commands even if Perforce VCS was not installed. It also said publication of Perforce source metadata was disabled on Packagist.org on April 10, 2026, as a precaution.
Composer said it scanned Packagist.org and found no evidence that threat actors had used malicious Perforce information in published packages. It also said a new release is expected for Private Packagist Self-Hosted customers.
WHY IT MATTERS
The flaws matter because Composer is widely used to manage PHP dependencies, and command execution could expose developer systems or build environments to compromise. Updating to a fixed release and checking trusted repositories can reduce the risk.