New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

AndyC 15 April 2026

Ravie LakshmananApr 14, 2026Vulnerability / DevSecOps

Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution.

New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

Ravie LakshmananApr 14, 2026Vulnerability / DevSecOps

New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution.

The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below –

  • CVE-2026-40176 (CVSS score: 7.8) – An improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer.
  • CVE-2026-40261 (CVSS score: 8.8) – An improper input validation vulnerability stemming from inadequate escaping that could allow an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.

In both cases, Composer would execute these injected commands even if Perforce VCS is not installed, the maintainers noted in an advisory.

The vulnerabilities affect the following versions –

  • >= 2.3, < 2.9.6 (Fixed in version 2.9.6)
  • >= 2.0, < 2.2.27 (Fixed in version 2.2.27)

If immediate patching is not an option, it’s advised to inspect composer.json files before running Composer and verify that Perforce-related fields contain valid values. It’s also recommended to only use trusted Composer repositories, run Composer commands on projects from trusted sources, and avoid installing dependencies using the “–prefer-dist” or the “preferred-install: dist” configuration setting.

Composer said it scanned Packagist.org and did not find any evidence of the aforementioned vulnerabilities being exploited by threat actors by publishing packages with malicious Perforce information. A new release is expected to be shipped for Private Packagist Self-Hosted customers.

“As a precaution, publication of Perforce source metadata has been disabled on Packagist.org since Friday, April 10th, 2026,” it said. “Composer installations should be updated immediately regardless.”

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

What do you feel about this?

More Stories

Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security

Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security

AndyC 15 April 2026
AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud

AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud

AndyC 15 April 2026
Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads

Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads

AndyC 15 April 2026
Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report)

Analysis of 216M Security Findings Shows a 4x Increase In Critical Risk (2026 Report)

AndyC 15 April 2026
108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users

108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users

AndyC 15 April 2026
ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

ShowDoc RCE Flaw CVE-2025-0520 Actively Exploited on Unpatched Servers

AndyC 14 April 2026

You may have missed

Recovery scammers hit you when you’re down: Here’s how to avoid a second strike

Recovery scammers hit you when you’re down: Here’s how to avoid a second strike

AndyC 15 April 2026
Recovery scammers hit you when you’re down: Here’s how to avoid a second strike

Recovery scammers hit you when you’re down: Here’s how to avoid a second strike

AndyC 15 April 2026
Spotlight On: Stripe, a New Principal Participating Organization

Spotlight On: Stripe, a New Principal Participating Organization

AndyC 15 April 2026
Spotlight On: Stripe, a New Principal Participating Organization

Spotlight On: Stripe, a New Principal Participating Organization

AndyC 15 April 2026

Can Your Wearable Health Monitors Be Compromised?

AndyC 15 April 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.