OS Command Injection in composer - CVE-2026-40176
Published: April 14, 2026
Vulnerability identifier: #VU125895
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-40176
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: getcomposer.org
Affected software:
composer
composer
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to command injection in Perforce::generateP4Command() when processing a malicious Perforce repository definition from a composer.json file. A remote attacker can supply crafted Perforce connection parameters to execute arbitrary commands.
User interaction is required because the victim must run Composer commands on an untrusted project or configuration containing the malicious repository definition.
How to mitigate CVE-2026-40176
Install security update from vendor's website.