Description
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.
Published: 2026-04-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Immediate Patch
AI Analysis

Impact

Composer, the PHP dependency manager, has a command injection flaw in the Perforce::syncCodeBase() and Perforce::generateP4Command() methods. The library appends a user‑supplied source reference and connection parameters directly into shell commands without escaping. An attacker can therefore inject arbitrary shell commands through crafted metadata fields in a Composer repository, even if Perforce is not installed. This vulnerability affects package installation and updating, including the default handling of dev‑prefixed versions, and allows an attacker who controls the package metadata to execute arbitrary code on the host system.

Affected Systems

Vulnerable Composer releases include versions 1.0 through 2.2.26 and 2.3 through 2.9.5. The issue is fixed in Composer 2.2.27 (LTS) and 2.9.6 (mainline).

Risk and Exploitability

The CVSS score of 8.8 signals a high‑severity flaw. Exploitation requires only that a malicious or compromised Composer repository is used; no additional software needs to be present. The vulnerability is actively exploitable during normal dependency installation, making it a direct and realistic threat in environments that rely on untrusted repositories or public packages.

Generated by OpenCVE AI on April 17, 2026 at 05:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Composer to at least version 2.2.27 or 2.9.6 to apply the vendor fix.
  • When installing or updating, run Composer with the --prefer-dist flag or set preferred-install to dist so that dependencies are not built from source.
  • Only use trusted Composer repositories to reduce the risk of malicious package metadata.

Generated by OpenCVE AI on April 17, 2026 at 05:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gqw4-4w2p-838q Composer has a command injection via malicious perforce reference
History

Sat, 25 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*

Fri, 17 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Getcomposer
Getcomposer composer
Vendors & Products Getcomposer
Getcomposer composer

Wed, 15 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.
Title Composer has Command Injection via Malicious Perforce Reference
Weaknesses CWE-20
CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Getcomposer Composer
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T13:41:12.977Z

Reserved: 2026-04-10T17:31:45.787Z

Link: CVE-2026-40261

cve-icon Vulnrichment

Updated: 2026-04-16T13:41:09.281Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-15T21:17:27.693

Modified: 2026-04-25T18:12:00.320

Link: CVE-2026-40261

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-15T20:56:32Z

Links: CVE-2026-40261 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T06:00:09Z

Weaknesses