Composer 2.9.6 and 2.2.27 LTS fix two Perforce VCS driver command injection vulnerabilities that could lead to arbitrary command execution. Update immediately.

Laravel News

Composer 2.9.6 and 2.2.27 LTS have been released to patch two command injection vulnerabilities (CVE-2026-40261 and CVE-2026-40176) in the Perforce VCS driver. The first flaw affects the generateP4Command() method and can be triggered via malicious Perforce connection parameters in a root composer.json. The second affects syncCodeBase() and allows injection via a crafted source reference when installing dependencies from a compromised repository, even without Perforce installed. No exploitation in the wild has been detected. Users should run `composer self-update` immediately and prefer --prefer-dist installs to reduce exposure.

Composer 2.9.6 Fixes Two Perforce Command Injection Vulnerabilities

<p>ok, yeah do update your composer , seriously</p>
