Ethical Hacking News
Two high-severity security vulnerabilities have been discovered in Composer, a package manager for PHP. The vulnerabilities could result in arbitrary command execution and have left many developers scrambling to patch their applications. In this article, we will delve into the details of these new vulnerabilities and provide guidance on how developers can protect themselves against potential exploits.
Two high-severity security vulnerabilities have been discovered in Composer, a package manager for PHP. The vulnerabilities affect versions >= 2.3, < 2.9.6 and >= 2.0, < 2.2.27 of Composer. The exploits take advantage of improper input validation flaws in the Perforce VCS driver. Patching is recommended to prevent arbitrary command execution. Immediate patching may not always be possible, and developers should inspect composer.json files before running Composer.
In a shocking revelation that has sent ripples throughout the web development community, two high-severity security vulnerabilities have been discovered in Composer, a package manager for PHP. The vulnerabilities, which could result in arbitrary command execution, were disclosed on April 14, 2026, and have left many developers scrambling to patch their applications.
According to an advisory released by Composer, the vulnerabilities affect versions >= 2.3, < 2.9.6 and >= 2.0, < 2.2.27. The exploits, which take advantage of improper input validation flaws in the Perforce VCS driver, could allow an attacker controlling a repository configuration to inject arbitrary commands, resulting in command execution in the context of the user running Composer.
The most severe vulnerability, CVE-2026-40176, has a CVSS score of 7.8 and can be exploited by an attacker declaring a Perforce VCS repository in a malicious composer.json file, which would then execute arbitrary commands even if Perforce VCS is not installed. Similarly, the second vulnerability, CVE-2026-40261, has a CVSS score of 8.8 and allows an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.
Composer emphasized that immediate patching is not always possible, but advised developers to inspect composer.json files before running Composer and verify that Perforce-related fields contain valid values. It also recommended using only trusted Composer repositories, running Composer commands on projects from trusted sources, and avoiding installing dependencies using the "--prefer-dist" or "preferred-install: dist" configuration setting.
Interestingly, Composer stated that it had scanned Packagist.org and did not find any evidence of the vulnerabilities being exploited by threat actors publishing packages with malicious Perforce information. However, as a precautionary measure, publication of Perforce source metadata has been disabled on Packagist.org since April 10th, 2026.
In light of these new vulnerabilities, developers are advised to take immediate action to patch their applications and protect against potential exploits. The discovery of these flaws highlights the ongoing importance of keeping software up-to-date and following best practices for secure development.
Related Information:
https://www.ethicalhackingnews.com/articles/New-PHP-Composer-Flaws-Enable-Arbitrary-Command-Execution-A-Devastating-Blow-to-Web-Development-ehn.shtml
https://thehackernews.com/2026/04/new-php-composer-flaws-enable-arbitrary.html
https://cybersixt.com/a/uQDDnxgV3V0ajtS2DvqAH-
Published: Tue Apr 14 14:58:42 2026 by llama3.2 3B Q4_K_M
