Vulnerability-Lookup

SUSE-SU-2026:1784-1

Vulnerability from csaf_suse - Published: 2026-05-08 17:05 - Updated: 2026-05-08 17:05

Summary

Security update for php-composer2

Severity

Important

Notes

Title of the patch: Security update for php-composer2

Description of the patch: This update for php-composer2 fixes the following issues: - CVE-2026-40176: arbitrary command injection via malicious Perforce repository definition (bsc#1262254). - CVE-2026-40261: arbitrary command injection via malicious Perforce source reference/url (bsc#1262255).

Patchnames: SUSE-2026-1784,SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1784,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1784,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1784

CVE-2026-40176

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 3 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.9.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:php-composer2-2.6.4-150600.3.9.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:php-composer2-2.6.4-150600.3.9.1.noarch	—	Vendor Fix

Threats

Impact important

CVE-2026-40261

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

Recommended 3 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.9.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server 15 SP6-LTSS:php-composer2-2.6.4-150600.3.9.1.noarch	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP6:php-composer2-2.6.4-150600.3.9.1.noarch	—	Vendor Fix

Threats

Impact important

References

12 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1262254	self
https://bugzilla.suse.com/1262255	self
https://www.suse.com/security/cve/CVE-2026-40176/	self
https://www.suse.com/security/cve/CVE-2026-40261/	self
https://www.suse.com/security/cve/CVE-2026-40176	external
https://bugzilla.suse.com/1262254	external
https://www.suse.com/security/cve/CVE-2026-40261	external
https://bugzilla.suse.com/1262255	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for php-composer2",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for php-composer2 fixes the following issues:\n\n- CVE-2026-40176: arbitrary command injection via malicious Perforce repository definition (bsc#1262254).\n- CVE-2026-40261: arbitrary command injection via malicious Perforce source reference/url (bsc#1262255).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2026-1784,SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1784,SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-1784,SUSE-SLE-Product-SLES_SAP-15-SP6-2026-1784",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1784-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2026:1784-1",
        "url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261784-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2026:1784-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025999.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1262254",
        "url": "https://bugzilla.suse.com/1262254"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1262255",
        "url": "https://bugzilla.suse.com/1262255"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-40176 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-40176/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-40261 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-40261/"
      }
    ],
    "title": "Security update for php-composer2",
    "tracking": {
      "current_release_date": "2026-05-08T17:05:56Z",
      "generator": {
        "date": "2026-05-08T17:05:56Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2026:1784-1",
      "initial_release_date": "2026-05-08T17:05:56Z",
      "revision_history": [
        {
          "date": "2026-05-08T17:05:56Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-composer2-2.6.4-150600.3.9.1.noarch",
                "product": {
                  "name": "php-composer2-2.6.4-150600.3.9.1.noarch",
                  "product_id": "php-composer2-2.6.4-150600.3.9.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
                  "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp7"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
                "product": {
                  "name": "SUSE Linux Enterprise Server 15 SP6-LTSS",
                  "product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles-ltss:15:sp6"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
                "product": {
                  "name": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
                  "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sles_sap:15:sp6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.6.4-150600.3.9.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
          "product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.9.1.noarch"
        },
        "product_reference": "php-composer2-2.6.4-150600.3.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.6.4-150600.3.9.1.noarch as component of SUSE Linux Enterprise Server 15 SP6-LTSS",
          "product_id": "SUSE Linux Enterprise Server 15 SP6-LTSS:php-composer2-2.6.4-150600.3.9.1.noarch"
        },
        "product_reference": "php-composer2-2.6.4-150600.3.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP6-LTSS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.6.4-150600.3.9.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP6",
          "product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP6:php-composer2-2.6.4-150600.3.9.1.noarch"
        },
        "product_reference": "php-composer2-2.6.4-150600.3.9.1.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP6"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-40176",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-40176"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.9.1.noarch",
          "SUSE Linux Enterprise Server 15 SP6-LTSS:php-composer2-2.6.4-150600.3.9.1.noarch",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP6:php-composer2-2.6.4-150600.3.9.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-40176",
          "url": "https://www.suse.com/security/cve/CVE-2026-40176"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262254 for CVE-2026-40176",
          "url": "https://bugzilla.suse.com/1262254"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.9.1.noarch",
            "SUSE Linux Enterprise Server 15 SP6-LTSS:php-composer2-2.6.4-150600.3.9.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP6:php-composer2-2.6.4-150600.3.9.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.9.1.noarch",
            "SUSE Linux Enterprise Server 15 SP6-LTSS:php-composer2-2.6.4-150600.3.9.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP6:php-composer2-2.6.4-150600.3.9.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-08T17:05:56Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-40176"
    },
    {
      "cve": "CVE-2026-40261",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-40261"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.9.1.noarch",
          "SUSE Linux Enterprise Server 15 SP6-LTSS:php-composer2-2.6.4-150600.3.9.1.noarch",
          "SUSE Linux Enterprise Server for SAP Applications 15 SP6:php-composer2-2.6.4-150600.3.9.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-40261",
          "url": "https://www.suse.com/security/cve/CVE-2026-40261"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262255 for CVE-2026-40261",
          "url": "https://bugzilla.suse.com/1262255"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.9.1.noarch",
            "SUSE Linux Enterprise Server 15 SP6-LTSS:php-composer2-2.6.4-150600.3.9.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP6:php-composer2-2.6.4-150600.3.9.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.9.1.noarch",
            "SUSE Linux Enterprise Server 15 SP6-LTSS:php-composer2-2.6.4-150600.3.9.1.noarch",
            "SUSE Linux Enterprise Server for SAP Applications 15 SP6:php-composer2-2.6.4-150600.3.9.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-05-08T17:05:56Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-40261"
    }
  ]
}

CVE-2026-40176 (GCVE-0-2026-40176)

Vulnerability from cvelistv5 – Published: 2026-04-15 20:47 – Updated: 2026-04-16 14:16

Title

Composer is vulnerable to Command Injection via Malicious Perforce Repository

Summary

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).

Severity

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-20 - Improper Input Validation
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/composer/composer/security/adv…	x_refsource_CONFIRM
https://github.com/composer/composer/releases/tag/2.9.6	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
composer	composer	Affected: >= 2.3, < 2.9.6 Affected: >= 1.0, < 2.2.27

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40176",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-16T14:16:01.309579Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-16T14:16:39.968Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "composer",
          "vendor": "composer",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.3, \u003c 2.9.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.0, \u003c 2.2.27"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T20:47:39.839Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p"
        },
        {
          "name": "https://github.com/composer/composer/releases/tag/2.9.6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/releases/tag/2.9.6"
        }
      ],
      "source": {
        "advisory": "GHSA-wg36-wvj6-r67p",
        "discovery": "UNKNOWN"
      },
      "title": "Composer is vulnerable to Command Injection via Malicious Perforce Repository"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40176",
    "datePublished": "2026-04-15T20:47:39.839Z",
    "dateReserved": "2026-04-09T20:59:17.619Z",
    "dateUpdated": "2026-04-16T14:16:39.968Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-40261 (GCVE-0-2026-40261)

Vulnerability from cvelistv5 – Published: 2026-04-15 20:56 – Updated: 2026-04-16 13:41

Title

Composer has Command Injection via Malicious Perforce Reference

Summary

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.

Severity

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-20 - Improper Input Validation

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/composer/composer/security/adv…	x_refsource_CONFIRM
https://github.com/composer/composer/releases/tag/2.9.6	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
composer	composer	Affected: >= 2.3.0, < 2.9.6 Affected: >= 1.0.0, < 2.2.27

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-40261",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-16T13:41:03.354793Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-16T13:41:12.977Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "composer",
          "vendor": "composer",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.3.0, \u003c 2.9.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 2.2.27"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20: Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-15T21:07:43.565Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q"
        },
        {
          "name": "https://github.com/composer/composer/releases/tag/2.9.6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/composer/composer/releases/tag/2.9.6"
        }
      ],
      "source": {
        "advisory": "GHSA-gqw4-4w2p-838q",
        "discovery": "UNKNOWN"
      },
      "title": "Composer has Command Injection via Malicious Perforce Reference"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40261",
    "datePublished": "2026-04-15T20:56:32.182Z",
    "dateReserved": "2026-04-10T17:31:45.787Z",
    "dateUpdated": "2026-04-16T13:41:12.977Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

SUSE-SU-2026:1784-1

CVE-2026-40176 (GCVE-0-2026-40176)

CVE-2026-40261 (GCVE-0-2026-40261)

Tags

Sightings

Nomenclature