CVE-2026-40176— Composer is vulnerable to Command Injection via Malicious Perforce Repository
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40176
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Composer is vulnerable to Command Injection via Malicious Perforce Repository
Source: NVD (National Vulnerability Database)
Vulnerability Description
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Composer 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Composer是Composer开源的一个应用软件。提供一个声明,管理和安装PHP项目的依赖项。 Composer 1.0至2.2.26版本和2.3至2.9.5版本存在安全漏洞,该漏洞源于Perforce::generateP4Command方法存在命令注入问题,可能导致命令执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-40176
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40176
请登录查看更多情报信息。
- Release 2.9.6 · composer/composer · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-40176
IV. Related Vulnerabilities
Same product: composer
- CVE-2026-40261
Composer has Command Injection via Malicious Perforce Refere - CVE-2025-67746
Composer vulnerable to ANSI sequence injection - CVE-2024-35242
Composer vulnerable to command injection via malicious git/h - CVE-2024-35241
Composer vulnerable to command injection via malicious git b - CVE-2024-24821
Code execution and possible privilege escalation via comprom
Same vendor: composer
- CVE-2026-40261
Composer has Command Injection via Malicious Perforce Refere - CVE-2025-67746
Composer vulnerable to ANSI sequence injection - CVE-2024-35242
Composer vulnerable to command injection via malicious git/h - CVE-2024-35241
Composer vulnerable to command injection via malicious git b - CVE-2024-24821
Code execution and possible privilege escalation via comprom
Same weakness: CWE-20
V. Comments for CVE-2026-40176
No comments yet