—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in PHP Composer

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Composer versions prior to 2.9.6 (mainline) and 2.2.27 (LTS)

Overview

Multiple vulnerabilities have been reported in PHP Composer which could allow an attacker to execute arbitrary commands on the targeted system.

Target Audience:

Individuals, system administrators and organizations using PHP Composer.

Risk Assessment:

High risk of arbitrary command execution when running Composer on untrusted projects or installing dependencies from compromised repositories; requires user interaction.

Impact Assessment:

Potential for arbitrary command execution, system compromise depending on user privileges, and unauthorized system access.

Description

Composer is a widely used dependency manager for PHP applications.

Multiple vulnerabilities exist in Composer due to insufficient escaping of values used in shell command construction in the Perforce VCS driver.

1. Command Injection ( CVE-2026-40176   )

This vulnerability exists due to improper escaping of user-supplied Perforce connection parameters in the Perforce::generateP4Command() method of Composer. An attacker could exploit this vulnerability by persuading a victim to run Composer commands on a specially crafted project containing a malicious composer.json file.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the targeted system.

2. Command Injection ( CVE-2026-40261   )

This vulnerability exists due to improper escaping of source reference and source URL parameters in the Perforce::syncCodeBase() method of Composer. An attacker could exploit this vulnerability by persuading a victim to install or update dependencies from a specially crafted or compromised Composer repository.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the targeted system.

Solution

Apply appropriate updates as provided by the vendor:

https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p

https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q

Vendor Information

Composer

https://blog.packagist.com/composer-2-9-6-perforce-driver-command-injection-vulnerabilities/

References

 

https://blog.packagist.com/composer-2-9-6-perforce-driver-command-injection-vulnerabilities/

https://thehackernews.com/2026/04/new-php-composer-flaws-enable-arbitrary.html

CVE Name

CVE-2026-40176

CVE-2026-40261

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmng/hgACgkQ3jCgcSdc

ys8/dA//XnYzwkqMO9rG+LUQZZtmpesAZLN/UUv2cI093cAgKp0VoZ/FQDxLEPs6

5qF7iGPsY5rvTQ0RAjrnSAXnTdkQuuhku62Qm0hG4VBEw7ALq/O8cWlLQmsZcD4o

Iw7VsmiG+4jTueo4M9i+jWDdWqqwqAJyq6PWs2tr9NTH5Unb74AeFG56sPVpzOGi

FdZ76Ulm2Jba2PGXpwx804GOfL/EvD1kifEfBI1rGtPWbT5AxhnLj2cneJ1Ldgl5

ZvQ90LcDuyIkRM7YXEch6Hp4QaiQ8Pi3N0yPR5zoDKpFxh1UkyNX7Ofm/lwW8vgR

dnVBNFUxDpi06KWBclrcBbKp+6EovcpxlDfktNzc1RWmY3iUT0cRqCHFBe0nfoyW

V/DAb/cQ/BRh7nXrXLFYyZ9QaWRlEkliMwF2Phbxmnq6jWtX4/T5xEMAN1mMuVoY

XW8Y2n+K5CVxnAHx5b7pEcXrGfbsR/jY2UZ8H6kfazt+HBas4yD6Q8NrPz144gZ8

I1Qto8cSFdVX18IP5Za1SUQ1bDESG4Y2DczMGiyaZWfYOaIFfDSQEpdgpkrH5rzs

mxKMXxHPdO3P86nQyx19G1SaSJltjUI2ZvzRZoODRdvuGSG34NimzEk9J3ZEEYOy

e9pHwp3Lbnt3cJpEnnz8Xw/BJUArQE584pBVEtCcNJPHrHZ6WB4=

=O8I/

—–END PGP SIGNATURE—–