Two high-severity security vulnerabilities have been disclosed in Composer, a PHP package manager, that could lead to arbitrary command execution if exploited.
The vulnerabilities affect the Perforce VCS driver and are detailed as follows:
- CVE-2026-40176 (CVSS score: 7.8) – An input validation flaw allowing command injection via a malicious composer.json file.
- CVE-2026-40261 (CVSS score: 8.8) – A vulnerability enabling command injection through improperly escaped source references.
Composer urges users to update to fixed versions to mitigate risks. It’s advised to verify composer.json files, use trusted repositories, and avoid certain configurations.
While no active exploits have been detected, Composer recommends immediate updates to prevent potential attacks.
Stay safe and secure your Composer installations!
