"CVE-2026-40176 is an improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json to inject arbitrary commands, resulting in command execution in the context of the user running Composer."
"CVE-2026-40261 stems from inadequate escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters."
"Composer would execute these injected commands even if Perforce VCS is not installed, as noted by the maintainers in an advisory."
"If immediate patching is not an option, it's advised to inspect composer.json files before running Composer and verify that Perforce-related fields contain valid values."
Two critical vulnerabilities in Composer, a PHP package manager, have been identified, allowing for arbitrary command execution via command injection flaws in the Perforce VCS driver. CVE-2026-40176 and CVE-2026-40261 have CVSS scores of 7.8 and 8.8, respectively. These vulnerabilities affect specific Composer versions and can be exploited even without Perforce VCS installed. Users are advised to inspect composer.json files and use trusted repositories. Composer has not found evidence of exploitation on Packagist.org and plans to release updates for affected users.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]