Critical Command Injection Vulnerabilities Patched in PHP Composer
PHP Composer, the widely used dependency management tool for PHP developers, has released urgent security updates to address two critical command injection vulnerabilities. The flaws, tracked as CVE-2026-40176 and CVE-2026-40261, affect the Perforce Version Control System (VCS) driver and could allow attackers to execute arbitrary commands on a victim’s machine.
The vulnerabilities stem from insufficient escaping of values when constructing shell commands. CVE-2026-40176, discovered by researcher saku0512, enables command injection via manipulated connection parameters (e.g., port, user, or client) in a malicious composer.json file. This attack requires a developer to manually run Composer commands on an untrusted project directory. CVE-2026-40261, reported by Koda Reef, involves improper escaping when appending source reference parameters, allowing exploitation through tainted package metadata even without Perforce installed on the target system.
The PHP Composer team confirmed no evidence of active exploitation before disclosure. Proactive scans of Packagist.org and Private Packagist found no malicious packages leveraging these flaws. As a precaution, Perforce source metadata publication was disabled on both platforms on April 10, 2026.
Users are advised to update to Composer 2.9.6 or the LTS version 2.2.27 immediately. Temporary mitigations include avoiding source-based dependency installation (using --prefer-dist), verifying composer.json files in untrusted projects, and relying on trusted repositories. Self-hosted Private Packagist users will receive verification tools to scan for malicious metadata.
Source: https://cybersecuritynews.com/php-composer-vulnerability/
Composer - PHP Dependency Manager cybersecurity rating report: https://www.rankiteo.com/company/phpcomposer
"id": "PHP1776263066",
"linkid": "phpcomposer",
"type": "Vulnerability",
"date": "4/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'PHP developers using Composer '
'with Perforce VCS driver',
'industry': 'Software Development',
'name': 'PHP Composer',
'type': 'Software Tool'},
{'customers_affected': 'Users of Packagist.org',
'industry': 'Software Development',
'name': 'Packagist.org',
'type': 'Package Repository'},
{'customers_affected': 'Users of Private Packagist',
'industry': 'Software Development',
'name': 'Private Packagist',
'type': 'Package Repository'}],
'attack_vector': 'Malicious composer.json file / Tainted package metadata',
'customer_advisories': 'Advisory to update Composer and avoid untrusted '
'projects',
'date_publicly_disclosed': '2026-04-10',
'description': 'PHP Composer, the widely used dependency management tool for '
'PHP developers, has released urgent security updates to '
'address two critical command injection vulnerabilities '
'(CVE-2026-40176 and CVE-2026-40261). The flaws affect the '
'Perforce Version Control System (VCS) driver and could allow '
'attackers to execute arbitrary commands on a victim’s machine '
'due to insufficient escaping of values when constructing '
'shell commands.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to PHP '
'Composer and Packagist.org',
'operational_impact': 'Potential arbitrary command execution on '
'victim machines',
'systems_affected': 'PHP Composer with Perforce VCS driver'},
'investigation_status': 'Completed (no evidence of active exploitation found)',
'lessons_learned': 'Importance of proper input escaping in shell command '
'construction and verifying untrusted project files before '
'execution.',
'post_incident_analysis': {'corrective_actions': 'Patches released to '
'properly escape values in '
'shell command construction',
'root_causes': 'Insufficient escaping of values '
'when constructing shell commands '
'in Perforce VCS driver'},
'recommendations': ['Update to Composer 2.9.6 or LTS version 2.2.27 '
'immediately',
'Avoid source-based dependency installation (use '
'--prefer-dist)',
'Verify composer.json files in untrusted projects',
'Rely on trusted repositories',
'Use verification tools for self-hosted Private '
'Packagist'],
'references': [{'source': 'PHP Composer Security Advisory'},
{'source': 'Researcher saku0512 (CVE-2026-40176)'},
{'source': 'Researcher Koda Reef (CVE-2026-40261)'}],
'response': {'communication_strategy': 'Advisory to update Composer and avoid '
'untrusted projects',
'containment_measures': 'Disabled Perforce source metadata '
'publication on Packagist.org and '
'Private Packagist',
'enhanced_monitoring': 'Proactive scans of Packagist.org and '
'Private Packagist for malicious packages',
'remediation_measures': 'Released Composer 2.9.6 and LTS version '
'2.2.27 with patches'},
'stakeholder_advisories': 'Advisory to update Composer and follow mitigation '
'steps',
'title': 'Critical Command Injection Vulnerabilities Patched in PHP Composer',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': ['CVE-2026-40176', 'CVE-2026-40261']}