Command Injection Vulnerability in Composer Dependency Manager by PHP
CVE-2026-40176

7.8HIGH

Key Information:

Vendor: Composer
Status: Composer
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-40176?

Composer, a widely used dependency manager for PHP, has a command injection vulnerability in the Perforce::generateP4Command() method. This issue arises from the improper handling of user-supplied Perforce connection parameters in shell command constructions. Attackers can exploit this flaw by injecting arbitrary commands through manipulated composer.json files when running Composer commands on untrusted projects. The vulnerability exists in Composer versions 1.0 through 2.2.26 and 2.3 through 2.9.5, and it can lead to unintentional command execution in the context of the user executing Composer. This vulnerability can only be exploited when VCS repositories are loaded from the root composer.json or the composer config directory, not from package dependencies. Users are strongly advised to update to Composer versions 2.2.27 (2.2 LTS) or 2.9.6 (mainline) to mitigate this risk.

Affected Version(s)

composer >= 2.3, < 2.9.6 < 2.3, 2.9.6

composer >= 1.0, < 2.2.27 < 1.0, 2.2.27

References

https://github.com/composer/composer/security/advisories/...

x_refsource_CONFIRM

https://github.com/composer/composer/releases/tag/2.9.6

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40176 Data

JSON