Back

Composer 2.9.6 Fixes Command Injection Vulnerabilities in Perforce Driver

Severity: High (Score: 60.8)

Sources: github.com, Blog.Packagist, Laravel-News

Summary

Composer has released versions 2.9.6 and 2.2.27 LTS to address two command injection vulnerabilities (CVE-2026-40261 and CVE-2026-40176) in its Perforce VCS driver. Both vulnerabilities stem from insufficient escaping of shell command values, which could allow attackers to inject arbitrary commands through malicious composer.json files. CVE-2026-40176 affects the Perforce::generateP4Command() method, while CVE-2026-40261 impacts the Perforce::syncCodeBase() method. These vulnerabilities can be exploited when running Composer commands on untrusted projects or when installing from compromised repositories. The Composer team has stated that there is no evidence of exploitation prior to the publication of the vulnerabilities. Users are advised to update immediately and take precautions when using Composer with Perforce. The vulnerabilities do not require Perforce to be installed on the client for exploitation to occur. Key Points: • Composer versions 2.9.6 and 2.2.27 LTS fix two command injection vulnerabilities. • CVE-2026-40176 and CVE-2026-40261 involve insufficient escaping in shell command construction. • Immediate updates are recommended to mitigate potential exploitation risks.

Key Entities

  • Command Injection (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2026-40176 (cve)
  • CVE-2026-40261 (cve)
  • packagist.org (domain)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • Composer (tool)
  • Perforce VCS Driver (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed