CVE-2026-40176
Description
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
composer/composerPackagist | >= 2.3.0, < 2.9.6 | 2.9.6 |
composer/composerPackagist | >= 1.0.0, < 2.2.27 | 2.2.27 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-wg36-wvj6-r67pghsaADVISORY
- github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67pnvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-40176ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40176.yamlghsaWEB
- github.com/composer/composer/releases/tag/2.9.6nvdRelease NotesWEB
News mentions
27- iPadOS 26.5 RC 2 (23F77)Apple Security Releases · May 8, 2026
- iOS 26.5 RC 2 (23F77)Apple Security Releases · May 8, 2026
- TeamPCP Weekly Analysis: 2026-W18 (2026-04-27 through 2026-05-03), (Mon, May 4th)SANS Internet Storm Center · May 4, 2026
- Shadow IT has given way to shadow AI. Enter AI-BOMsThe Register Security · May 4, 2026
- Shadow IT has given way to shadow AI. Enter AI-BOMsThe Register Security · May 4, 2026
- Xcode 26.5 RC (17F42)Apple Security Releases · May 4, 2026
- iPadOS 18.7.9 (22H355)Apple Security Releases · May 4, 2026
- iOS 18.7.9 (22H355)Apple Security Releases · May 4, 2026
- visionOS 26.5 RC (23O471)Apple Security Releases · May 4, 2026
- iOS 26.5 RC (23F75)Apple Security Releases · May 4, 2026
- tvOS 26.5 RC (23L471)Apple Security Releases · May 4, 2026
- iPadOS 26.5 RC (23F75)Apple Security Releases · May 4, 2026
- macOS 26.5 RC (25F71)Apple Security Releases · May 4, 2026
- watchOS 26.5 RC (23T570)Apple Security Releases · May 4, 2026
- PyTorch Lightning and Intercom-client Hit in Supply Chain Attacks to Steal CredentialsThe Hacker News · Apr 30, 2026
- Cisco releases open-source toolkit for verifying AI model lineageHelp Net Security · Apr 30, 2026
- iOS 26.5 beta 4 (23F5069b)Apple Security Releases · Apr 27, 2026
- Xcode 26.5 beta 3 (17F5032f)Apple Security Releases · Apr 27, 2026
- iPadOS 26.5 beta 4 (23F5069b)Apple Security Releases · Apr 27, 2026
- macOS 26.5 beta 4 (25F5068a)Apple Security Releases · Apr 27, 2026
- tvOS 26.5 beta 4 (23L5469a)Apple Security Releases · Apr 27, 2026
- watchOS 26.5 beta 4 (23T5568a)Apple Security Releases · Apr 27, 2026
- visionOS 26.5 beta 4 (23O5468a)Apple Security Releases · Apr 27, 2026
- iOS 18.7.8 (22H352)Apple Security Releases · Apr 22, 2026
- iPadOS 18.7.8 (22H352)Apple Security Releases · Apr 22, 2026
- App Store Connect UpdateApple Security Releases · Apr 16, 2026
- App Store Connect API 4.3Apple Security Releases · Mar 10, 2026