CVE-2026-40261

HIGH EPSS 65.8%
Published Apr 15, 20262mo ago · Modified Jun 17, 20262w ago
8.8 CVSS 3.1
High
Find Similar
Published Apr 15, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.

CVSS Details

Base Score
8.8
Exploitability
2.8
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
65.8% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 2

CWE-20 Improper Input Validation Validation
CWE-78 OS Command Injection Injection

Affected Products 2

VendorProductVersionRange
getcomposercomposer*≥1.0.0  –  ≤2.2.26
getcomposercomposer*≥2.3.0  –  ≤2.9.5

References 2

  • github.com https://github.com/composer/composer/releases/tag/2.9.6
    Release Notes
  • github.com https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.