CVE-2026-40176

Name of the Vulnerable Software and Affected Versions Composer versions 1.0 through 2.2.26 Composer versions 2.3 through 2.9.5

Description An issue exists in the Perforce VCS driver where the generateP4Command() function constructs shell commands by interpolating user-supplied Perforce connection parameters without proper escaping. An attacker can inject arbitrary commands through the port, user, and client variables within a malicious composer.json file that declares a Perforce VCS repository. This leads to command execution in the context of the user running Composer, regardless of whether Perforce is installed on the system. This can occur if a user runs Composer commands on untrusted projects. VCS repositories are only loaded from the root composer.json or the composer config directory, meaning it cannot be exploited via dependency packages.

Recommendations Update Composer versions 1.0 through 2.2.26 to version 2.2.27. Update Composer versions 2.3 through 2.9.5 to version 2.9.6. Only run Composer commands on projects from trusted sources. Carefully inspect composer.json files to verify that Perforce-related fields contain valid values before execution.