Skip to main content

CVE-2026-40261

HIGH
OS Command Injection (CWE-78)
2026-04-14 https://github.com/composer/composer GHSA-gqw4-4w2p-838q
8.8
CVSS 3.1 · Vendor: https://github.com/composer/composer
Share

Severity by source

Vendor (https://github.com/composer/composer) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (https://github.com/composer/composer).

CVSS VectorVendor: https://github.com/composer/composer

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 15, 2026 - 21:22 vuln.today
cvss_changed
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 14, 2026 - 22:36 vuln.today
Analysis Generated
Apr 14, 2026 - 20:31 vuln.today
CVE Published
Apr 14, 2026 - 20:01 nvd
HIGH 8.8

DescriptionCVE.org

Impact

The Perforce::syncCodeBase() method appended the $sourceReference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the Perforce::generateP4Command() method constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping from the source url field. Composer would execute these injected commands even if Perforce is not installed.

The source reference and url are provided as part of package metadata. Any Composer package repository can serve package metadata declaring perforce as a source type with a malicious source reference or source url. This means the vulnerability can be exploited through any package served by a compromised or malicious Composer repository. An attack does not require Perforce to be installed on the client, as Composer will attempt to execute the constructed command regardless.

This vulnerability is exploitable when installing or updating dependencies from source (--prefer-source, default when installing dev prefixed versions), even if you do not use Perforce.

Patches

Fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)

Note, the fix for the source url in the Perforce::generateP4Command() was addressed as part of the patches for GHSA-wg36-wvj6-r67p / CVE-2026-40176 in the same versions.

Workarounds

  • Avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting.
  • Only use trusted Composer repositories.

AnalysisAI

Command injection in Composer's Perforce integration allows remote code execution when installing packages from malicious repositories. The vulnerability exists in versions before 2.2.27 and 2.9.6, affecting all users who install dependencies from source (--prefer-source or dev versions) regardless of whether Perforce is installed. Attackers can inject shell commands through crafted source references or connection parameters in package metadata served by compromised Composer repositories. CVSS 8.8 (High) with network attack vector, low complexity, and no authentication required (though user interaction is needed). No confirmed active exploitation (CISA KEV), but publicly available exploit code exists per GitHub advisory disclosure.

Technical ContextAI

Composer is PHP's dependency manager. The vulnerability affects Composer's Perforce version control integration, specifically in the syncCodeBase() and generateP4Command() methods. These methods construct shell commands by concatenating user-controlled input from package metadata without proper escaping or sanitization. The flaw is rooted in CWE-78 (OS Command Injection), where shell metacharacters in the sourceReference parameter and Perforce connection parameters (port, user, client) from source URLs are passed directly to shell execution functions. Critically, Composer attempts to execute these commands even when Perforce is not installed on the system, expanding the attack surface beyond actual Perforce users. The affected packages are identified as pkg:composer/composer_composer in CPE nomenclature, encompassing the mainline and LTS branches prior to the patched versions.

RemediationAI

Upgrade immediately to Composer 2.2.27 (for 2.2 LTS users) or Composer 2.9.6 (for mainline users), which include comprehensive fixes for both the syncCodeBase() and generateP4Command() command injection vulnerabilities. The patches implement proper input sanitization and escaping for source references and Perforce connection parameters. Users can verify their current version with 'composer --version' and upgrade using 'composer self-update --2.2' for LTS or 'composer self-update' for mainline. As interim mitigation, configure Composer to prefer distribution packages over source installation by using the --prefer-dist flag or setting 'preferred-install: dist' in composer.json configuration. Additionally, implement strict controls on allowed Composer repositories and only use trusted sources, as the vulnerability is exploitable through any compromised or malicious package repository. Review and audit existing composer.json and composer.lock files for dependencies from untrusted sources. Full technical details and patches are documented in the GitHub security advisories at github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Web and Scripting 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed

Share

CVE-2026-40261 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy