If you use PHP's Composer package manager, stop what you're doing and run composer.phar selfupdate right now.
Two newly disclosed command injection vulnerabilities — CVE-2026-40261 and CVE-2026-40176 — in Composer's Perforce VCS driver could let an attacker execute arbitrary commands on your system, and here's the unsettling part: Perforce doesn't even need to be installed on your machine for the attack to work.
Both flaws were patched today in Composer 2.9.6 and 2.2.27 (LTS), disclosed by maintainer Nils Adermann. Neither vulnerability had been exploited in the wild before publication, according to the Composer team's scan of Packagist and Private Packagist.
CVE-2026-40176, reported by researcher saku0512, lives in the Perforce::generateP4Command() method. The function built shell commands by directly interpolating user-supplied connection parameters — port, user, and client — without sanitising them first.
An attacker who plants a malicious composer.json file in a project directory you then run Composer on can embed shell commands inside those fields, which Composer dutifully executes. This one carries a local attack vector, meaning the attacker needs you to open a booby-trapped project — think a GitHub repository someone asks you to review.
CVE-2026-40261 is the more dangerous of the two. Reported by Koda Reef, it affects Perforce::syncCodeBase(), which appended a source reference parameter to a shell command without escaping shell metacharacters.
Unlike the first flaw, this one has a network-level attack vector — any compromised or outright malicious Composer package repository can push package metadata with a weaponised source reference, triggering execution when developers install or update packages from source (the default behaviour for dev- prefixed versions).
Both weaknesses are classified under CWE-78 (OS Command Injection) and CWE-20 (Improper Input Validation), each rated High severity.
Update to Composer 2.9.6 or 2.2.27 immediately. As an interim measure for CVE-2026-40261, avoid installing from source using the --prefer-dist flag. For CVE-2026-40176, never run Composer on projects from untrusted sources without first inspecting the composer.json manually.