Back

Critical Command Injection Vulnerabilities in Composer's Perforce Driver

Severity: High (Score: 72.0)

Sources: Laravel-News, github.com, Scworld, Blog.Packagist

Summary

Two command injection vulnerabilities, CVE-2026-40176 and CVE-2026-40261, have been identified in Composer's Perforce VCS driver, allowing attackers to execute arbitrary commands on user systems. CVE-2026-40176, affecting the Perforce::generateP4Command() method, can be exploited through malicious Perforce connection parameters in composer.json files. CVE-2026-40261 impacts the Perforce::syncCodeBase() method, enabling command injection via crafted source references from compromised repositories. Both vulnerabilities stem from insufficient input validation and escaping, posing significant risks when using untrusted projects. Composer versions 2.9.6 and 2.2.27 (LTS) have been released to address these issues. Users are advised to update immediately and avoid installing from source when possible. No exploitation attempts have been detected as of the publication date. Key Points: • Two critical vulnerabilities in Composer's Perforce driver allow command injection. • CVE-2026-40176 and CVE-2026-40261 require immediate updates to Composer versions 2.9.6 or 2.2.27. • Exploitation can occur through malicious composer.json files or compromised repositories.

Key Entities

  • Command Injection (attack_type)
  • Zero-day Exploit (attack_type)
  • CVE-2026-40176 (cve)
  • CVE-2026-40261 (cve)
  • CWE-20 - Improper Input Validation (cwe)
  • CWE-78 - OS Command Injection (cwe)
  • packagist.org (domain)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • Composer (tool)
  • Perforce VCS (platform)
  • Perforce VCS Driver (platform)
  • PHP Composer (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed