CVE-2026-40261
Command Injection in Composer Perforce Methods Allows Remote Code Execution
Publication date: 2026-04-15
Last updated on: 2026-04-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| getcomposer | composer | From 1.0.0 (inc) to 2.2.26 (inc) |
| getcomposer | composer | From 2.3.0 (inc) to 2.9.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Composer, a dependency manager for PHP, specifically in versions 1.0 through 2.2.26 and 2.3 through 2.9.5. It involves a command injection flaw in the Perforce::syncCodeBase() method, where the $sourceReference parameter is appended to a shell command without proper escaping. Additionally, the Perforce::generateP4Command() method interpolates user-supplied Perforce connection parameters from the source URL field without proper escaping.
An attacker can exploit this by crafting malicious source reference or source URL values containing shell metacharacters, allowing arbitrary command execution even if Perforce is not installed. This is particularly dangerous because the malicious values can be served as part of package metadata from compromised or malicious Composer repositories.
The vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing development-prefixed versions.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary command execution on the system where Composer is used to install or update dependencies from source. An attacker could execute malicious commands by supplying crafted package metadata, potentially compromising the system's confidentiality, integrity, and availability.
Because the vulnerability allows execution of arbitrary commands without requiring Perforce to be installed, it broadens the attack surface and increases the risk of system compromise.
This could result in unauthorized access, data theft, system damage, or disruption of services.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update Composer to version 2.2.27 (2.2 LTS) or 2.9.6 (mainline) where the issue is fixed.
If updating is not possible right away, avoid installing dependencies from source by using the --prefer-dist option or setting preferred-install to dist in the Composer configuration.
Additionally, only use trusted Composer repositories to reduce the risk of receiving malicious package metadata.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.