TWO high-severity flaws in PHP Composer could let attackers execute arbitrary commands via malicious repository configurations affecting the Perforce VCS driver. The vulnerabilities arise from improper input validation and insufficient escaping, enabling command injection when a malicious composer[.]json or crafted source reference contains shell metacharacters. The advisory notes two CVEs: CVE-2026-40176 and CVE-2026-40261, with CVSS scores of 7.8 and 8.8 respectively, and both are tied to the Perforce VCS driver.
The fixes arrive in Composer 2.9.6 (mainline) and 2.2.27 (2.2 LTS), which address the command-injection flaws; users are urged to self-update by running composer[.]phar self-update. To mitigate CVE-2026-40261, avoid installing dependencies from source by using --prefer-dist or setting preferred-install to dist, and rely only on trusted repositories, while CVE-2026-40176 requires careful review of composer[.]json files to ensure Perforce fields are valid.
According to the advisory, scans of Packagist[.]org and Private Packagist found no exploitation attempts, and Perforce metadata publishing and the Perforce VCS driver were disabled on 10 April 2026 with updates rolling out to Private Packagist Self-Hosted users.