New PHP Composer Flaws Enable Arbitrary Command Execution

New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released
嗯，用户让我用中文总结一篇文章，控制在一百个字以内，而且不需要用“文章内容总结”之类的开头。好的，首先我得仔细阅读这篇文章，理解主要内容。文章讲的是Composer这个PHP包管理器发现了两个高危安全漏洞。这两个漏洞属于命令注入类型，影响Perforce版本控制系统驱动。漏洞编号是CVE-2026-40176和CVE-2026-40261，CVSS评分分别是7.8和8.8。攻击者可以通过恶意的composer.json文件注入命令，导致任意命令执行。受影响的版本包括>=2.3,<2.9.6和>=2.0,<2.2.27，已经修复的版本是2.9.6和2.2.27。建议用户更新Composer到最新版本，并检查composer.json文件，确保Perforce相关字段有效。此外，建议只使用可信的仓库，并避免使用某些配置选项。 Packagist.org已经禁用了Perforce源元数据的发布，并未发现被利用的情况。所以用户应该立即更新安装。现在我要把这些信息浓缩到100字以内。重点包括：Composer发现两个高危漏洞，影响Perforce驱动，CVSS评分高，可能导致命令执行，影响特定版本，建议更新和检查配置。可能的结构：Composer发现两个高危漏洞（CVE编号），影响Perforce驱动，CVSS评分分别为7.8和8.8。漏洞可能导致任意命令执行。受影响版本包括>=2.3,<2.9.6和>=2.0,<2.2.27。建议用户更新到最新版本，并检查composer.json文件中的Perforce配置是否有效。此外，避免使用某些依赖安装选项，并确保只使用可信来源。这样大概控制在100字左右。 </think> Composer发现两个高危安全漏洞（CVE-2026-40176和CVE-2026-40261），影响Perforce VCS驱动，可能导致任意命令执行。漏洞评分分别为7.8和8.8。受影响版本为>= 2.3, < 2.9.6 和 >= 2.0, < 2.2.27。建议立即更新至修复版本，并检查composer.json文件中的Perforce配置是否有效。 2026-4-14 15:57:0 Author: thehackernews.com(查看原文) 阅读量:7 收藏

Vulnerability / DevSecOps

Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution.

The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below -

CVE-2026-40176 (CVSS score: 7.8) - An improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer.
CVE-2026-40261 (CVSS score: 8.8) - An improper input validation vulnerability stemming from inadequate escaping that could allow an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.

In both cases, Composer would execute these injected commands even if Perforce VCS is not installed, the maintainers noted in an advisory.

The vulnerabilities affect the following versions -

>= 2.3, < 2.9.6 (Fixed in version 2.9.6)
>= 2.0, < 2.2.27 (Fixed in version 2.2.27)

If immediate patching is not an option, it's advised to inspect composer.json files before running Composer and verify that Perforce-related fields contain valid values. It's also recommended to only use trusted Composer repositories, run Composer commands on projects from trusted sources, and avoid installing dependencies using the "--prefer-dist" or the "preferred-install: dist" configuration setting.

Composer said it scanned Packagist.org and did not find any evidence of the aforementioned vulnerabilities being exploited by threat actors by publishing packages with malicious Perforce information. A new release is expected to be shipped for Private Packagist Self-Hosted customers.

"As a precaution, publication of Perforce source metadata has been disabled on Packagist.org since Friday, April 10th, 2026," it said. "Composer installations should be updated immediately regardless."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

文章来源: https://thehackernews.com/2026/04/new-php-composer-flaws-enable-arbitrary.html
如有侵权请联系:admin#unsafe.sh