SB2026041483 - Fedora 42 update for composer

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026041483

SB2026041483 - Fedora 42 update for composer

Published: April 14, 2026

Security Bulletin ID SB2026041483
Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) OS Command Injection (CVE-ID: CVE-2026-40261)

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to command injection in the Perforce::syncCodeBase() and Perforce::generateP4Command() methods when processing package metadata containing a crafted Perforce source reference or source url. A remote attacker can supply a malicious package through a Composer repository to execute arbitrary commands.

The issue is exploitable when installing or updating dependencies from source, including with --prefer-source and by default for dev prefixed versions. User interaction is required to install or update the dependency.


2) OS Command Injection (CVE-ID: CVE-2026-40176)

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to command injection in Perforce::generateP4Command() when processing a malicious Perforce repository definition from a composer.json file. A remote attacker can supply crafted Perforce connection parameters to execute arbitrary commands.

User interaction is required because the victim must run Composer commands on an untrusted project or configuration containing the malicious repository definition.


Remediation

Install update from vendor's website.

References