PT-2026-32622 · Composer · Composer
Published
2026-04-14
·
Updated
2026-04-16
·
CVE-2026-40261
CVSS v3.1
8.8
High
| AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Composer versions 1.0 through 2.2.26
Composer versions 2.3 through 2.9.5
Description
Command injection is possible through the
Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping. Additionally, the Perforce::generateP4Command() method interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands via crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. These values are provided as part of package metadata, allowing any compromised or malicious repository to serve malicious values. The issue is exploitable when installing or updating dependencies from source, including the default behavior for dev-prefixed versions.Recommendations
Update versions 1.0 through 2.2.26 to 2.2.27.
Update versions 2.3 through 2.9.5 to 2.9.6.
Avoid installing dependencies from source by using
--prefer-dist or the preferred-install: dist config setting.
Only use trusted Composer repositories.Exploit
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Composer