New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released
Apr 14, 2026
Vulnerability / DevSecOps
Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below - CVE-2026-40176 (CVSS score: 7.8) - An improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer. CVE-2026-40261 (CVSS score: 8.8) - An improper input validation vulnerability stemming from inadequate escaping that could allow an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. In both cases, Composer would execute these injected ...
