Key Findings

• Two high-severity command injection vulnerabilities discovered in PHP Composer's Perforce VCS driver

• CVE-2026-40176 (CVSS 7.8) and CVE-2026-40261 (CVSS 8.8) allow arbitrary command execution through malicious repository configs and crafted inputs

• Patches released: Composer 2.9.6 (mainline) and 2.2.27 (LTS)

• No active exploitation detected on Packagist.org or Private Packagist as of April 10, 2026

• Perforce metadata publishing temporarily disabled as precaution

Background

PHP Composer is a widely-used dependency manager for PHP that automates the installation and management of project libraries. Developers define required packages in a composer.json file, and Composer handles downloading, updating, and resolving dependencies. The tool is essential to modern PHP development, particularly for popular frameworks like Laravel and Symfony.

CVE-2026-40176: Malicious composer.json Injection

This vulnerability stems from improper input validation in the generateP4Command() method. User-controlled connection parameters including port, user, and client fields are inserted into shell commands without sanitization. An attacker controlling a malicious composer.json with a Perforce VCS repository declaration can inject arbitrary shell metacharacters to execute commands in the context of the user running Composer.

The primary limitation is that this vulnerability requires an attacker to control the root project's composer.json file, meaning users must actively run Composer on untrusted projects for exploitation to succeed. Installation of compromised dependencies alone does not trigger this flaw.

CVE-2026-40261: Crafted Source Reference Injection

This more dangerous vulnerability affects the syncCodeBase() method and carries a higher CVSS score due to its broader exploitation surface. Insufficient escaping of the source reference parameter allows command injection through specially crafted metadata containing shell metacharacters. Critically, this flaw can be exploited even when Perforce is not installed on the system.

The vulnerability becomes particularly dangerous when users install or update dependencies from source, as attackers can compromise repositories or craft malicious metadata to inject commands during dependency installation. This means the attack surface extends beyond user control to include any compromised package source.

Affected Versions and Remediation

Versions 2.3 through 2.9.5 and 2.0 through 2.2.26 are vulnerable. Organizations should immediately upgrade to Composer 2.9.6 or 2.2.27 LTS by running composer.phar self-update.

For users unable to patch immediately, several mitigation strategies are recommended. Install dependencies using the --prefer-dist flag or configure preferred-install to dist to avoid building from source. Review all composer.json files before running Composer to ensure Perforce fields contain only valid values. Additionally, only run Composer on projects from trusted sources and exclusively use trusted repositories.

Disclosure and Response

Researchers Koda Reef and saku0512 reported the vulnerabilities, leading to coordinated disclosure. Composer maintainers conducted scans of both Packagist.org and Private Packagist and found no evidence of exploitation attempts through published packages with malicious Perforce information.

As a precautionary measure, Perforce metadata publishing was disabled on Packagist.org starting April 10, 2026. Private Packagist Self-Hosted customers will receive updates and should upgrade Composer promptly while verifying any stored metadata for suspicious content.

Sources

• https://securityaffairs.com/190824/security/php-composer-flaws-enable-remote-command-execution-via-perforce-vcs.html

• https://thehackernews.com/2026/04/new-php-composer-flaws-enable-arbitrary.html