Keypoints
- Two command-injection flaws affect Composer’s Perforce VCS driver (CVE-2026-40176, CVE-2026-40261).
- Injected commands can run even if Perforce is not installed on the system.
- Affected releases are >=2.3,=2.0,<2.2.27; fixes are in 2.9.6 and 2.2.27.
- Immediate patching is recommended; if not possible, inspect composer.json and avoid untrusted repositories and dist installs.
- Packagist has disabled Perforce metadata as a precaution and Composer found no evidence of active exploitation.
Read More: https://thehackernews.com/2026/04/new-php-composer-flaws-enable-arbitrary.html