Plattform
php
Komponente
composer/composer
Behoben in
2.3.1
1.0.1
2.9.6
CVE-2026-40176 is a Command Injection vulnerability discovered in Composer, a dependency management tool for PHP. This flaw arises from insufficient escaping of user-supplied Perforce connection parameters within the Perforce::generateP4Command() method. Exploitation allows an attacker to execute arbitrary commands on the system running Composer, even if Perforce itself isn't installed, posing a significant security risk. Affected versions include 1.0.0–>= 2.3, < 2.9.6, with a fix available in version 2.9.6.
The vulnerability lies within the Perforce::generateP4Command() method, which constructs shell commands using user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can craft a malicious composer.json file that declares a Perforce VCS repository. By injecting arbitrary commands into these parameters, the attacker can achieve command execution in the context of the user running Composer. Crucially, this execution occurs even if Perforce itself is not installed on the system. The blast radius extends to any system running Composer with a vulnerable configuration file, potentially compromising the entire development environment. This vulnerability shares similarities with other command injection flaws where unsanitized user input is directly incorporated into shell commands.
CVE-2026-40176 was published on 2026-04-15. Its severity is rated HIGH (CVSS 7.8). There are currently no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not listed on CISA KEV or EPSS, suggesting a low to medium probability of exploitation in the near term. Monitor security advisories from Composer and related PHP communities for updates.
Exploit-Status
EPSS
0.01% (2% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade Composer to version 2.9.6 or later, which contains the fix for this vulnerability. If an immediate upgrade is not feasible, carefully review all composer.json files, particularly those defining Perforce VCS repositories, for any suspicious or unexpected content. Consider implementing stricter input validation on any data used to configure Perforce connections. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for unusual command execution patterns originating from Composer processes. There are no specific Sigma or YARA rules available at this time, but monitoring for unexpected process executions related to Composer is recommended.
Actualice Composer a la versión 2.2.27 o superior (2.2 LTS) o a la versión 2.9.6 (mainline) para mitigar la vulnerabilidad de inyección de comandos. Evite usar Composer en proyectos con archivos composer.json no confiables.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a Command Injection vulnerability in Composer, a PHP dependency manager, allowing attackers to execute arbitrary commands via malicious composer.json files.
You are affected if you are using Composer versions 1.0.0–>= 2.3, < 2.9.6. Check your Composer version and upgrade if necessary.
Upgrade Composer to version 2.9.6 or later. If immediate upgrade isn't possible, review composer.json files and consider WAF rules.
Currently, there are no known active campaigns exploiting this vulnerability, but the potential for exploitation is high.
Refer to the official Composer security advisory and the NVD entry for CVE-2026-40176 for detailed information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.