thehackernews.com 4/14/2026, 5:21:44 PM · via preferred

Composer Flaws Let Attackers Run Arbitrary Code via JSON

CyberSIXT Evidence Panel

TWO high-severity security vulnerabilities have been disclosed in Composer, the PHP package manager, that could allow arbitrary command execution through a Perforce VCS driver configuration. The flaws are CVE-2026-40176 (CVSS 7.8) and CVE-2026-40261 (CVSS 8.8), both arising from improper input validation and escaping, respectively, and could enable an attacker to inject commands via a malicious composer[.]json or a crafted source reference.

In both cases, Composer would execute the injected commands in the context of the user running Composer, even if Perforce is not installed. The affected versions are >= 2.3 and < 2.9.6 (fixed in 2.9.6) and >= 2.0 and < 2.2.27 (fixed in 2.2.27). Packagist[.]org was scanned and no evidence of exploitation has been found, according to the advisory, and a new release is expected for Private Packagist Self-Hosted customers.

To mitigate, users are advised to patch promptly, inspect composer[.]json files for Perforce-related fields, use trusted repositories, and avoid installing dependencies with the --prefer-dist or preferred-install: dist settings.

View Primary Source Via thehackernews.com

Article by CyberSIXT