Composer Command Injection: Malicious Repositories are a New Vector

The National Vulnerability Database (NVD) has disclosed CVE-2026-40261, a high-severity command injection vulnerability impacting Composer, the ubiquitous PHP dependency manager. This flaw, present in versions 1.0 through 2.2.26 and 2.3 through 2.9.5, stems from improper escaping within the Perforce::syncCodeBase() and Perforce::generateP4Command() methods.

Attackers can leverage crafted source reference or source url values containing shell metacharacters to inject arbitrary commands. What makes this particularly nasty, according to NVD, is that these malicious values can be embedded within package metadata served by any compromised or malicious Composer repository. This means even if Perforce isn’t installed, the vulnerability is exploitable when installing or updating dependencies from source, including the default behavior for dev-prefixed versions. This is a significant escalation from previous Composer vulnerabilities, transforming a seemingly niche Perforce-related flaw into a broader supply chain risk.

NVD reports that the issue has been patched in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). For those unable to update immediately, a workaround involves using --prefer-dist or setting preferred-install: dist in the configuration to avoid installing dependencies from source. Additionally, NVD emphasizes only using trusted Composer repositories, which, frankly, should be standard practice anyway.