Two high-severity security vulnerabilities have been disclosed in **Composer**, a package manager for PHP. If successfully exploited, these could lead to arbitrary command execution.  ### Vulnerability Details The vulnerabilities are command injection flaws affecting the Perforce VCS (version control software) driver. Here's a breakdown: * **CVE-2026-40176** (CVSS score: 7.8): This improper input validation vulnerability allows an attacker controlling a repository configuration in a malicious `composer.json` file declaring a Perforce VCS repository to inject arbitrary commands. This results in command execution within the context of the user running Composer. * **CVE-2026-40261** (CVSS score: 8.8): This improper input validation vulnerability stems from inadequate escaping. It allows an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Notably, **Composer** maintainers stated that the injected commands would execute even if Perforce VCS is not installed. ### Affected Versions The following versions are affected: * `>= 2.3, < 2.9.6` (Fixed in version 2.9.6) * `>= 2.0, < 2.2.27` (Fixed in version 2.2.27) ### Mitigation Strategies If immediate patching is not feasible, the following steps are advised: * Inspect `composer.json` files before running Composer. * Verify that Perforce-related fields contain valid values. * Use only trusted Composer repositories. * Run Composer commands on projects from trusted sources. * Avoid installing dependencies using the `--prefer-dist` or the `preferred-install: dist` configuration setting. ### No Exploitation Detected (Yet) **Composer** reported scanning Packagist.org and found no evidence of active exploitation by threat actors publishing packages with malicious Perforce information. A new release is expected for Private Packagist Self-Hosted customers. "As a precaution, publication of Perforce source metadata has been disabled on Packagist.org since Friday, April 10th, 2026," it said. "Composer installations should be updated immediately regardless."