Composer 2.9.6 and 2.2.27 LTS have been released to patch two command injection vulnerabilities (CVE-2026-40261 and CVE-2026-40176) in the Perforce VCS driver. The first flaw affects the generateP4Command() method and can be triggered via malicious Perforce connection parameters in a root composer.json. The second affects syncCodeBase() and allows injection via a crafted source reference when installing dependencies from a compromised repository, even without Perforce installed. No exploitation in the wild has been detected. Users should run `composer self-update` immediately and prefer --prefer-dist installs to reduce exposure.
3 Comments
Sort: