#VU125895 OS Command Injection in composer - CVE-2026-40176
Published: April 14, 2026
Vulnerability identifier: #VU125895
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-40176
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
composer
composer
Software vendor:
getcomposer.org
getcomposer.org
Description
The vulnerability allows a remote attacker to execute arbitrary commands.
The vulnerability exists due to command injection in Perforce::generateP4Command() when processing a malicious Perforce repository definition from a composer.json file. A remote attacker can supply crafted Perforce connection parameters to execute arbitrary commands.
User interaction is required because the victim must run Composer commands on an untrusted project or configuration containing the malicious repository definition.
Remediation
Install security update from vendor's website.