CVE-2026-40176

Name of the Vulnerable Software and Affected Versions Composer versions 1.0 through 2.2.26 Composer versions 2.3 through 2.9.5

Description A command injection issue exists in the Perforce VCS driver of Composer, a dependency manager for PHP. The Perforce::generateP4Command() function constructs shell commands by interpolating user-supplied Perforce connection parameters without proper escaping. An attacker can inject arbitrary commands through the port, user, or client variables within a malicious 'composer.json' file that declares a Perforce VCS repository. This allows for arbitrary command execution in the context of the user running Composer, regardless of whether Perforce is installed on the system. This issue can be triggered when running Composer commands on untrusted projects. VCS repositories are only loaded from the root 'composer.json' or the composer config directory, meaning it cannot be exploited via dependency packages.

Recommendations Update to version 2.2.27 for versions 1.0 through 2.2.26. Update to version 2.9.6 for versions 2.3 through 2.9.5. Only run Composer commands on projects from trusted sources. Carefully inspect 'composer.json' files to verify that Perforce-related fields contain valid values before execution.