Description
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).
Published: 2026-04-15
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates in the Composer dependency manager’s Perforce::generateP4Command() routine, which concatenates user‐controlled connection parameters—port, user, and client—directly into a shell command without quoting or escaping. This allows an attacker to place arbitrary shell code in these fields of a malicious composer.json file that declares a Perforce VCS repository. When Composer is run in the context of the attacker’s set of repository parameters, the injected code is executed by the user running Composer, providing full command execution on that system. The flaw is a classic command injection, classified as CWE‑20 and CWE‑78.

Affected Systems

Affected releases of Composer span version ranges 1.0 through 2.2.26 and 2.3 through 2.9.5. The issue is fixed from Composer 2.2.27 onward and from 2.9.6 in the mainline. Only the root composer.json or the Composer configuration directory are considered during VCS loading, meaning that dependency package composer.json files cannot trigger the flaw. Users are at risk only when they run Composer commands against untrusted projects that contain an attacker‑supplied composer.json with a Perforce VCS repository.

Risk and Exploitability

The CVSS score of 7.8 indicates a high‑severity vulnerability. The EPSS score is not provided, suggesting no measurement of exploitation probability is available at this time. The flaw is not listed in CISA’s KEV catalog, so no confirmed active exploits are documented. Exploitation requires the attacker to supply a crafted composer.json file, so it is contingent on the user executing Composer on untrusted input. In practice, the most likely vector is a developer pulling a project from a source that an attacker controls, leading to execution in the developer’s user context.

Generated by OpenCVE AI on April 16, 2026 at 02:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Composer to version 2.2.27 or higher, which removes the vulnerable code path.
  • Limit Composer usage to trusted code bases; avoid running Composer on external or unverified projects that include Perforce VCS definitions.
  • Inspect and cleanse existing composer.json files of any Perforce VCS entries before executing Composer commands if the project’s provenance is uncertain.

Generated by OpenCVE AI on April 16, 2026 at 02:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wg36-wvj6-r67p Composer has a command injection via malicious perforce repository
History

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Getcomposer
Getcomposer composer
Vendors & Products Getcomposer
Getcomposer composer

Wed, 15 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).
Title Composer is vulnerable to Command Injection via Malicious Perforce Repository
Weaknesses CWE-20
CWE-78
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Getcomposer Composer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T14:16:39.968Z

Reserved: 2026-04-09T20:59:17.619Z

Link: CVE-2026-40176

cve-icon Vulnrichment

Updated: 2026-04-16T14:16:20.118Z

cve-icon NVD

Status : Received

Published: 2026-04-15T21:17:27.357

Modified: 2026-04-15T21:17:27.357

Link: CVE-2026-40176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:00:05Z

Weaknesses