Home / Vulnerability Intelligence / CVE-2026-40261

CVE-2026-40261 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 15, 2026

Composer - Command Injection

Published: April 15, 2026Updated: April 15, 2026Remote Exploitable

Overview

Composer 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection caused by improper escaping of user-supplied parameters in Perforce::syncCodeBase() and Perforce::generateP4Command() methods, letting attackers inject arbitrary commands during dependency installation or update from source, exploit requires malicious package metadata from compromised or malicious Composer repositories.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Attackers can execute arbitrary commands on the system during dependency installation or update, potentially leading to full system compromise.

Mitigation

Upgrade to Composer 2.2.27 or 2.9.6 or later versions; alternatively, avoid installing dependencies from source by using --prefer-dist or preferred-install: dist and use only trusted repositories.

References

Related Resources

Details

CVE ID: CVE-2026-40261
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: new

CWE

CWE-20

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H