Ethical Hacking News
PHP Composer, a widely used dependency manager for PHP, has been found to contain two high-severity vulnerabilities that could allow attackers to execute arbitrary commands on a user's system. The flaws, identified as CVE-2026-40176 and CVE-2026-40261, stem from improper input validation and insufficient escaping in the Perforce VCS driver. Update Composer immediately to version 2.9.6 or 2.2.27 (LTS) to protect your systems.
Two high-severity vulnerabilities (CVE-2026-40176 and CVE-2026-40261) were found in PHP Composer. The vulnerabilities stem from improper input validation and insufficient escaping in the Perforce VCS driver. CVE-2026-40176 allows arbitrary commands execution through malicious composer.json files, while CVE-2026-40261 enables command injection through crafted metadata. Composer versions 2.9.6 and 2.2.27 have addressed the vulnerabilities. Users are advised to update Composer immediately and review composer.json files for valid Perforce fields. To mitigate CVE-2026-40261, avoid installing dependencies from source and rely on trusted repositories.
PHP Composer, a widely used dependency manager for PHP, has been found to contain two high-severity vulnerabilities that could allow attackers to execute arbitrary commands on a user's system. The flaws, identified as CVE-2026-40176 and CVE-2026-40261, stem from improper input validation and insufficient escaping in the Perforce VCS driver.
The first vulnerability, CVE-2026-40176, affects the generateP4Command() method of the Perforce VCS driver. This method inserts user-controlled connection parameters, such as port, user, and client, into shell commands without sanitization. If an attacker controls a malicious composer.json file with a Perforce VCS repository, they can inject arbitrary commands, leading to execution in the context of the user running Composer.
The second vulnerability, CVE-2026-40261, impacts the syncCodeBase() method of the Perforce VCS driver. This method enables command injection through crafted metadata by failing to escape source references. An attacker can exploit this vulnerability by installing or updating dependencies from source, even without Perforce installed, especially when relying on compromised repositories.
Both vulnerabilities have been addressed in Composer 2.9.6 and 2.2.27, which are recommended for immediate update. Users should review composer.json files carefully to ensure that Perforce fields are valid and run Composer only on trusted projects.
To mitigate CVE-2026-40261, users can avoid installing dependencies from source by using the –prefer-dist or preferred-install to dist flag. They should also rely only on trusted repositories and avoid exploiting crafted metadata.
According to an advisory, scans of Packagist.org and Private Packagist found no exploitation attempts so far. However, Perforce metadata publishing and the Perforce VCS driver were disabled as a precautionary measure on April 10, 2026, for all users.
This incident highlights the importance of keeping software up-to-date and being cautious when using dependency managers like PHP Composer. Users should prioritize security and take proactive measures to protect their systems from potential vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Perforce-VCS-Driver-Vulnerability-A-Critical-Flaw-in-PHP-Composers-Dependency-Management-ehn.shtml
https://securityaffairs.com/190824/security/php-composer-flaws-enable-remote-command-execution-via-perforce-vcs.html
https://thehackernews.com/2026/04/new-php-composer-flaws-enable-arbitrary.html
https://nvd.nist.gov/vuln/detail/CVE-2026-40176
https://www.cvedetails.com/cve/CVE-2026-40176/
https://nvd.nist.gov/vuln/detail/CVE-2026-40261
https://www.cvedetails.com/cve/CVE-2026-40261/
Published: Wed Apr 15 04:26:01 2026 by llama3.2 3B Q4_K_M
