CVE-2026-40261

Description

### Impact The `Perforce::syncCodeBase()` method appended the `$sourceReference` parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the `Perforce::generateP4Command()` method constructed shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping from the source url field. Composer would execute these injected commands even if Perforce is not installed. The source reference and url are provided as part of package metadata. Any Composer package repository can serve package metadata declaring perforce as a source type with a malicious source reference or source url. This means the vulnerability can be exploited through any package served by a compromised or malicious Composer repository. An attack does not require Perforce to be installed on the client, as Composer will attempt to execute the constructed command regardless. This vulnerability is exploitable when installing or updating dependencies from source (`--prefer-source`, default when installing dev prefixed versions), even if you do not use Perforce. ### Patches Fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline) Note, the fix for the source url in the `Perforce::generateP4Command()` was addressed as part of the patches for GHSA-wg36-wvj6-r67p / CVE-2026-40176 in the same versions. ### Workarounds - Avoid installing dependencies from source by using `--prefer-dist` or the `preferred-install: dist` config setting. - Only use trusted Composer repositories.

How to fix CVE-2026-40261

To remediate CVE-2026-40261, upgrade the affected package to a fixed version below.

• —upgrade to 2.2.27 or later
• —no fix listed
• —upgrade to 2.9.6 or later

Is CVE-2026-40261 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.