CVE-2026-40176

HIGH EPSS 57.6%
Published Apr 15, 20262mo ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Apr 15, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
57.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation
CWE-78 OS Command Injection Injection

Affected Products 2

VendorProductVersionRange
getcomposercomposer*≥1.0.0  –  ≤2.2.26
getcomposercomposer*≥2.3.0  –  ≤2.9.5

References 2

  • github.com https://github.com/composer/composer/releases/tag/2.9.6
    Release Notes
  • github.com https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.