Critical PHP Composer Vulnerability Lets Attackers Execute Commands
Key Takeaways Two critical command injection vulnerabilities (CVE-2026-40176, CVE-2026-40261) have been discovered in PHP Composer, a widely used dependency manager. These flaws allow attackers to...
Key Takeaways
- Two critical command injection vulnerabilities (CVE-2026-40176, CVE-2026-40261) have been discovered in PHP Composer, a widely used dependency manager.
- These flaws allow attackers to execute arbitrary commands on a victim’s system, primarily through manipulated connection parameters or malicious package metadata.
- Developers handling untrusted projects or installing dependencies from compromised repositories are at risk.
- Urgent security updates are available in Composer versions 2.9.6 and 2.2.27.
- There is no evidence of active exploitation in the wild as of the public disclosure.
Critical Command Injection Flaws Found in PHP Composer
PHP Composer, an indispensable dependency management tool for developers globally, has released urgent security updates to address two critical command injection vulnerabilities. These flaws, which could enable attackers to execute arbitrary commands on affected systems, represent a significant concern for the developer community.
Table Of Content
The identified vulnerabilities are specifically located within Composer’s Perforce Version Control System (VCS) driver. They stem from inadequate escaping of values when the tool constructs shell commands, as detailed in an official security advisory published by Nils Adermann.
Users are strongly advised to update their Composer installations immediately to version 2.9.6 or the long-term support version 2.2.27 to mitigate these risks. The development team has confirmed that, fortunately, no active exploitation of these vulnerabilities has been observed prior to their public disclosure.
Deep Dive into the Vulnerabilities
These two security issues expose software developers to considerable risks, particularly when they interact with untrusted projects or malicious package metadata:
- CVE-2026-40176: Discovered by security researcher saku0512, this vulnerability impacts an internal method responsible for generating Perforce commands. Attackers can inject arbitrary commands by manipulating connection parameters—such as the port, user, or client—within a specially crafted
composer.jsonfile. This attack vector requires a developer to manually execute Composer commands on an untrusted project directory and cannot be triggered silently through standard installed dependencies. - CVE-2026-40261: Reported by Koda Reef, this flaw involves insufficient escaping when a source reference parameter is appended to a system shell command. A compromised or malicious Composer repository could easily serve tainted package metadata designed to exploit this vulnerability. Alarmingly, an attacker does not need the Perforce software installed on the target machine, as Composer will attempt to execute the injected command regardless. This makes the vulnerability particularly dangerous, as it can be exploited simply by installing malicious dependencies from a compromised source.
In a proactive measure to safeguard the broader PHP developer ecosystem, security teams conducted comprehensive scans of the primary public repository, Packagist.org, as well as Private Packagist environments. These scans found no existing packages attempting to exploit these specific vulnerabilities. As a strict preventative measure, the publication of Perforce source metadata has been entirely disabled on both platforms since April 10, 2026.
What You Should Do
- Immediate Update: The most effective mitigation is to update your Composer installation without delay. Run
composer.phar self-updatein your terminal to upgrade to versions 2.9.6 or 2.2.27. - Prefer Distribution Files: If immediate patching is not possible, avoid installing dependencies directly from source. Utilize the
--prefer-distflag or configure your project settings to prefer distribution files over source. - Trust Verified Repositories: Only rely on trusted and verified Composer package repositories for your dependencies.
- Inspect Untrusted Projects: Before executing Composer commands on any untrusted project, carefully inspect its
composer.jsonfile to verify that all Perforce-related fields contain valid, non-malicious data. - Private Packagist Users: Developers using self-hosted Private Packagist solutions should expect a prompt release update that includes verification tools to scan their own infrastructure for malicious metadata.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.