Command Injection Flaw in Composer Affects PHP Dependency Management
CVE-2026-40261

8.8HIGH

Key Information:

Vendor: Composer
Status: Composer
Vendor: CVE Published:; 15 April 2026

What is CVE-2026-40261?

A command injection vulnerability exists in Composer, a widely used PHP dependency manager, specifically in the Perforce::syncCodeBase() and Perforce::generateP4Command() methods. This flaw arises from the improper handling of the $sourceReference parameter and user-supplied Perforce connection parameters, allowing attackers to inject malicious commands via crafted values. A compromised Composer repository can serve package metadata that includes these unsafe parameters, rendering systems vulnerable during dependency installation or updates. To mitigate risks, users should upgrade to Composer versions 2.2.27 or 2.9.6 and employ safer installation practices by avoiding source installations.

Affected Version(s)

composer >= 2.3.0, < 2.9.6 < 2.3.0, 2.9.6

composer >= 1.0.0, < 2.2.27 < 1.0.0, 2.2.27

References

https://github.com/composer/composer/security/advisories/...

x_refsource_CONFIRM

https://github.com/composer/composer/releases/tag/2.9.6

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Apr 10, 2026

CVE-2026-40261 Data

JSON