Command Injection Flaw in Composer Affects PHP Dependency Management
CVE-2026-40261

8.8HIGH

Key Information:

Vendor

Composer

Status
Vendor
CVE Published:
15 April 2026

Badges

๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

What is CVE-2026-40261?

A command injection vulnerability exists in Composer, a widely used PHP dependency manager, specifically in the Perforce::syncCodeBase() and Perforce::generateP4Command() methods. This flaw arises from the improper handling of the $sourceReference parameter and user-supplied Perforce connection parameters, allowing attackers to inject malicious commands via crafted values. A compromised Composer repository can serve package metadata that includes these unsafe parameters, rendering systems vulnerable during dependency installation or updates. To mitigate risks, users should upgrade to Composer versions 2.2.27 or 2.9.6 and employ safer installation practices by avoiding source installations.

Affected Version(s)

composer >= 2.3.0, < 2.9.6 < 2.3.0, 2.9.6

composer >= 1.0.0, < 2.2.27 < 1.0.0, 2.2.27

News Articles

Composer 2.9.6 Fixes Two Perforce Command Injection Vulnerabilities - Laravel News

Composer 2.9.6 and 2.2.27 LTS fix two Perforce VCS driver command injection vulnerabilities that could lead to arbitrary command execution. Update immediately.

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by Laravel News

  • Vulnerability published

  • Vulnerability Reserved

.