{"id":45408,"date":"2026-04-15T02:38:02","date_gmt":"2026-04-14T18:38:02","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/15\/new-php-composer-flaws-enable-arbitrary-command-execution-patches-released\/"},"modified":"2026-04-15T02:38:02","modified_gmt":"2026-04-14T18:38:02","slug":"new-php-composer-flaws-enable-arbitrary-command-execution-patches-released","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/04\/15\/new-php-composer-flaws-enable-arbitrary-command-execution-patches-released\/","title":{"rendered":"New PHP Composer Flaws Enable Arbitrary Command Execution &#8212; Patches Released"},"content":{"rendered":"<div style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgP-RqcuX8QuBEwVkchLNSjyIAqQEuFwy0prqQ1gGqxpBFESQLuCzgGB7-cjYhJrbLhbTk_j8G4NedN06plhhqLd_Rpd01mTh8XcOHjvQ_UuJqfjTROZeh40WlSN_7gzRL4yVKX-Aj0ui2gOxo9l70b3Dy5R6srKjne-gQXIhL7fNAHYZ7rDm6-yWl4-_JD\/s1600\/php-code.jpg\" style=\"display: block; padding: 1em 0; text-align: center; clear: left; float: left;\"><img decoding=\"async\" border=\"0\" data-original-height=\"470\" data-original-width=\"900\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgP-RqcuX8QuBEwVkchLNSjyIAqQEuFwy0prqQ1gGqxpBFESQLuCzgGB7-cjYhJrbLhbTk_j8G4NedN06plhhqLd_Rpd01mTh8XcOHjvQ_UuJqfjTROZeh40WlSN_7gzRL4yVKX-Aj0ui2gOxo9l70b3Dy5R6srKjne-gQXIhL7fNAHYZ7rDm6-yWl4-_JD\/s1600\/php-code.jpg\" alt=\"New PHP Composer Flaws Enable Arbitrary Command Execution &amp;#8212; Patches Released\"\/><\/a><\/div>\n<p>Two high-severity security vulnerabilities&nbsp;have been <a href=\"https:\/\/blog.packagist.com\/composer-2-9-6-perforce-driver-command-injection-vulnerabilities\/\">disclosed<\/a> in Composer, a package&nbsp;manager for&nbsp;PHP, that, if successfully exploited, could result in arbitrary command execution.<\/p>\n<p>The vulnerabilities&nbsp;have been&nbsp;described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below&nbsp;&#8211;<\/p>\n<ul>\n<li><strong><a href=\"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-wg36-wvj6-r67p\">CVE-2026-40176<\/a><\/strong> (CVSS score: 7.8) &#8211; An improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json&nbsp;declaring a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer.<\/li>\n<li><strong><a href=\"https:\/\/github.com\/composer\/composer\/security\/advisories\/GHSA-gqw4-4w2p-838q\">CVE-2026-40261<\/a><\/strong> (CVSS score: 8.8) &#8211; An improper input validation vulnerability stemming from inadequate <a href=\"https:\/\/en.wikipedia.org\/wiki\/Escape_sequence\">escaping<\/a> that could allow an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.<\/li>\n<\/ul>\n<p>In both cases, Composer would execute these injected commands even if Perforce&nbsp;VCS is not&nbsp;installed, the maintainers noted in an&nbsp;advisory.<\/p>\n<p>The vulnerabilities affect the following versions&nbsp;&#8211;<\/p>\n<ul>\n<li>&gt;= 2.3, &lt; 2.9.6&nbsp;(Fixed in version 2.9.6)<\/li>\n<li>&gt;= 2.0, &lt; 2.2.27&nbsp;(Fixed in version 2.2.27)<\/li>\n<\/ul>\n<p>If immediate patching is not an&nbsp;option, it&#8217;s&nbsp;advised to inspect composer.json&nbsp;files before running Composer and verify that Perforce-related fields contain valid&nbsp;values. It&#8217;s also recommended&nbsp;to only use trusted Composer repositories, run Composer commands on projects from trusted sources, and avoid installing dependencies using the &#8220;&#8211;prefer-dist&#8221;&nbsp;or the &#8220;preferred-install: dist&#8221; configuration&nbsp;setting.<\/p>\n<p>Composer said it scanned Packagist.org&nbsp;and did not find&nbsp;any&nbsp;evidence of the aforementioned vulnerabilities being exploited by threat&nbsp;actors by publishing&nbsp;packages with malicious Perforce information. A new&nbsp;release is&nbsp;expected&nbsp;to be&nbsp;shipped for Private Packagist Self-Hosted customers.<\/p>\n<p>&#8220;As a precaution, publication of Perforce source metadata&nbsp;has been&nbsp;disabled on Packagist.org&nbsp;since Friday, April 10th, 2026,&#8221; it said.&nbsp;&#8220;Composer installations should be&nbsp;updated immediately regardless.&#8221;<\/p>\n<div><\/div>\n<div>Found this article interesting?  Follow us on <a href='https:\/\/news.google.com\/publications\/CAAqLQgKIidDQklTRndnTWFoTUtFWFJvWldoaFkydGxjbTVsZDNNdVkyOXRLQUFQAQ' rel='noopener' target='_blank'>Google News<\/a>, <a href='https:\/\/twitter.com\/thehackersnews' rel='noopener' target='_blank'>Twitter<\/a> and <a href='https:\/\/www.linkedin.com\/company\/thehackernews\/' rel='noopener' target='_blank'>LinkedIn<\/a> to read more exclusive content we post.<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Two high-severity security vulnerabilities&nbsp;have been disclosed in Composer, a package&nbsp;manager for&nbsp;PHP, that, if successfully exploited, could result in arbitrary command execution.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-45408","post","type-post","status-publish","format-standard","hentry","category-thehackernews"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45408","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=45408"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/45408\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=45408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=45408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=45408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}