Full Report
Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below - CVE-2026-40176 (CVSS
Analysis Summary
# Vulnerability: PHP Composer Command Injection in Perforce VCS Driver
## CVE Details
- **CVE ID:** CVE-2026-40176
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-20: Improper Input Validation
- **CVE ID:** CVE-2026-40261
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
## Affected Systems
- **Products:** Composer (PHP Package Manager)
- **Versions:**
- Versions >= 2.3 and < 2.7.27 (Fixed in **2.7.27**)
- Versions >= 2.0 and < 2.2.27 (Fixed in **2.2.27**)
- **Configurations:** Systems running Composer that process `composer.json` files containing Perforce VCS repository definitions. The vulnerability exists even if Perforce VCS is not installed on the system.
## Vulnerability Description
The flaws reside in the Perforce Version Control Software (VCS) driver within Composer.
- **CVE-2026-40176:** Occurs due to improper validation of repository configurations within a `composer.json` file. An attacker can define a malicious Perforce repository that triggers command execution when the user runs Composer.
- **CVE-2026-40261:** Stemming from inadequate escaping of shell metacharacters, this allow attackers to inject arbitrary commands through a crafted "source reference" (branch name, tag, or commit hash).
## Exploitation
- **Status:** No evidence of "in the wild" exploitation found on Packagist.org; PoC not public but technical details are disclosed.
- **Complexity:** Medium (Requires inducing a user to run Composer on a project with a malicious configuration).
- **Attack Vector:** Network (Remote via malicious package or repository definition).
## Impact
- **Confidentiality:** High (Full access to the user's environment).
- **Integrity:** High (Ability to modify system files and code).
- **Availability:** High (Ability to crash or wipe systems).
## Remediation
### Patches
Users should update Composer immediately to the following versions:
- **v2.8.2** (or higher)
- **v2.7.27** (for 2.7 branch)
- **v2.2.27** (for 2.2 LTS branch)
### Workarounds
- **Inspect `composer.json`:** Manually review files for untrusted Perforce repository fields before running commands.
- **Use Trusted Sources:** Only run Composer on projects and dependencies from verified providers.
- **Configuration Change:** Avoid using the `--prefer-dist` flag or setting `"preferred-install": "dist"` for untrusted projects.
## Detection
- **Indicators of Compromise:** Scan `composer.json` files for Perforce repository definitions containing unusual shell characters (e.g., `;`, `&`, `|`, `` ` ``, `$()`).
- **Detection Methods:** Check Composer version via `composer --version`. Packagist.org has disabled the publication of Perforce source metadata as a proactive defense.
## References
- **Vendor Advisory (CVE-2026-40176):** hxxps://github[.]com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p
- **Vendor Advisory (CVE-2026-40261):** hxxps://github[.]com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q
- **Packagist Blog:** hxxps://blog[.]packagist[.]com/composer-2-9-6-perforce-driver-command-injection-vulnerabilities/
- **Original Report:** hxxps://thehackernews[.]com/2026/04/new-php-composer-flaws-enable-arbitrary.html