{"id":599,"date":"2026-04-14T17:06:25","date_gmt":"2026-04-14T17:06:25","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=599"},"modified":"2026-04-14T17:06:25","modified_gmt":"2026-04-14T17:06:25","slug":"new-php-composer-flaws-enable-arbitrary-command-execution-patches-released","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=599","title":{"rendered":"New PHP Composer Flaws Enable Arbitrary Command Execution \u2014 Patches Released"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 14, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ DevSecOps<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgP-RqcuX8QuBEwVkchLNSjyIAqQEuFwy0prqQ1gGqxpBFESQLuCzgGB7-cjYhJrbLhbTk_j8G4NedN06plhhqLd_Rpd01mTh8XcOHjvQ_UuJqfjTROZeh40WlSN_7gzRL4yVKX-Aj0ui2gOxo9l70b3Dy5R6srKjne-gQXIhL7fNAHYZ7rDm6-yWl4-_JD\/s1700-e365\/php-code.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Two high-severity security vulnerabilities\u00a0have been <a href=\"https:\/\/blog.packagist.com\/composer-2-9-6-perforce-driver-command-injection-vulnerabilities\/\">disclosed<\/a> in Composer, a package\u00a0manager for\u00a0PHP, that, if successfully exploited, could result in arbitrary command execution.<\/p>\n<p>The vulnerabilities\u00a0have been\u00a0described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below\u00a0&#8211;<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-wg36-wvj6-r67p\">CVE-2026-40176<\/a><\/strong> (CVSS score: 7.8) &#8211; An improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json\u00a0declaring a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer.<\/li>\n<li><strong><a href=\"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-gqw4-4w2p-838q\">CVE-2026-40261<\/a><\/strong> (CVSS score: 8.8) &#8211; An improper input validation vulnerability stemming from inadequate <a href=\"https:\/\/en.wikipedia.org\/wiki\/Escape_sequence\">escaping<\/a> that could allow an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.<\/li>\n<\/ul>\n<p>In both cases, Composer would execute these injected commands even if Perforce\u00a0VCS is not\u00a0installed, the maintainers noted in an\u00a0advisory.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The vulnerabilities affect the following versions\u00a0&#8211;<\/p>\n<ul>\n<li>&gt;= 2.3, &lt; 2.9.6\u00a0(Fixed in version 2.9.6)<\/li>\n<li>&gt;= 2.0, &lt; 2.2.27\u00a0(Fixed in version 2.2.27)<\/li>\n<\/ul>\n<p>If immediate patching is not an\u00a0option, it&#8217;s\u00a0advised to inspect composer.json\u00a0files before running Composer and verify that Perforce-related fields contain valid\u00a0values. It&#8217;s also recommended\u00a0to only use trusted Composer repositories, run Composer commands on projects from trusted sources, and avoid installing dependencies using the \u00ab&#8211;prefer-dist\u00bb\u00a0or the \u00abpreferred-install: dist\u00bb configuration\u00a0setting.<\/p>\n<p>Composer said it scanned Packagist.org\u00a0and did not find\u00a0any\u00a0evidence of the aforementioned vulnerabilities being exploited by threat\u00a0actors by publishing\u00a0packages with malicious Perforce information. A new\u00a0release is\u00a0expected\u00a0to be\u00a0shipped for Private Packagist Self-Hosted customers.<\/p>\n<p>\u00abAs a precaution, publication of Perforce source metadata\u00a0has been\u00a0disabled on Packagist.org\u00a0since Friday, April 10th, 2026,\u00bb it said.\u00a0\u00abComposer installations should be\u00a0updated immediately regardless.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 14, 2026Vulnerability \/ DevSecOps Two high-severity security vulnerabilities\u00a0have been disclosed in Composer, a package\u00a0manager for\u00a0PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities\u00a0have been\u00a0described&hellip;<\/p>\n","protected":false},"author":1,"featured_media":600,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1222,1223,1221,369,13,11,57,1067,1024],"class_list":["post-599","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-arbitrary","tag-command","tag-composer","tag-enable","tag-execution","tag-flaws","tag-patches","tag-php","tag-released"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/599","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=599"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/599\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/600"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=599"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=599"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=599"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}