CVE-2026-40261

Name of the Vulnerable Software and Affected Versions Composer versions 1.0 through 2.2.26 Composer versions 2.3 through 2.9.5

Description Command injection is possible in the PHP dependency manager Composer. The Perforce::syncCodeBase() function appends the $sourceReference parameter to a shell command without proper escaping. Additionally, the Perforce::generateP4Command() function constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters. These values are provided as part of package metadata, meaning a compromised or malicious Composer repository can serve malicious metadata declaring perforce as a source type. The issue is exploitable when installing or updating dependencies from source, and the commands are executed even if Perforce is not installed on the client system.

Recommendations Update Composer versions 1.0 through 2.2.26 to version 2.2.27. Update Composer versions 2.3 through 2.9.5 to version 2.9.6. Avoid installing dependencies from source by using the --prefer-dist flag or the preferred-install: dist configuration setting. Use only trusted Composer repositories.