CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-40176

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 1.5%

CVSS Severity

CVSS v3 Score 7.8

References

Products affected by CVE-2026-40176

Getcomposer » Composer » Version: 1.0.0

cpe:2.3:a:getcomposer:composer:1.0.0
Getcomposer » Composer » Version: 1.0.1

cpe:2.3:a:getcomposer:composer:1.0.1
Getcomposer » Composer » Version: 1.0.2

cpe:2.3:a:getcomposer:composer:1.0.2
Getcomposer » Composer » Version: 1.0.3

cpe:2.3:a:getcomposer:composer:1.0.3
Getcomposer » Composer » Version: 1.1.0

cpe:2.3:a:getcomposer:composer:1.1.0
Getcomposer » Composer » Version: 1.1.1

cpe:2.3:a:getcomposer:composer:1.1.1
Getcomposer » Composer » Version: 1.1.2

cpe:2.3:a:getcomposer:composer:1.1.2
Getcomposer » Composer » Version: 1.1.3

cpe:2.3:a:getcomposer:composer:1.1.3
Getcomposer » Composer » Version: 1.10.0

cpe:2.3:a:getcomposer:composer:1.10.0
Getcomposer » Composer » Version: 1.10.1

cpe:2.3:a:getcomposer:composer:1.10.1
Getcomposer » Composer » Version: 1.10.10

cpe:2.3:a:getcomposer:composer:1.10.10
Getcomposer » Composer » Version: 1.10.11

cpe:2.3:a:getcomposer:composer:1.10.11
Getcomposer » Composer » Version: 1.10.12

cpe:2.3:a:getcomposer:composer:1.10.12
Getcomposer » Composer » Version: 1.10.13

cpe:2.3:a:getcomposer:composer:1.10.13
Getcomposer » Composer » Version: 1.10.14

cpe:2.3:a:getcomposer:composer:1.10.14
Getcomposer » Composer » Version: 1.10.15

cpe:2.3:a:getcomposer:composer:1.10.15
Getcomposer » Composer » Version: 1.10.16

cpe:2.3:a:getcomposer:composer:1.10.16
Getcomposer » Composer » Version: 1.10.17

cpe:2.3:a:getcomposer:composer:1.10.17
Getcomposer » Composer » Version: 1.10.18

cpe:2.3:a:getcomposer:composer:1.10.18
Getcomposer » Composer » Version: 1.10.19

cpe:2.3:a:getcomposer:composer:1.10.19
Getcomposer » Composer » Version: 1.10.2

cpe:2.3:a:getcomposer:composer:1.10.2
Getcomposer » Composer » Version: 1.10.20

cpe:2.3:a:getcomposer:composer:1.10.20
Getcomposer » Composer » Version: 1.10.21

cpe:2.3:a:getcomposer:composer:1.10.21
Getcomposer » Composer » Version: 1.10.22

cpe:2.3:a:getcomposer:composer:1.10.22
Getcomposer » Composer » Version: 1.10.23

cpe:2.3:a:getcomposer:composer:1.10.23
Getcomposer » Composer » Version: 1.10.24

cpe:2.3:a:getcomposer:composer:1.10.24
Getcomposer » Composer » Version: 1.10.25

cpe:2.3:a:getcomposer:composer:1.10.25
Getcomposer » Composer » Version: 1.10.26

cpe:2.3:a:getcomposer:composer:1.10.26
Getcomposer » Composer » Version: 1.10.27

cpe:2.3:a:getcomposer:composer:1.10.27
Getcomposer » Composer » Version: 1.10.3

cpe:2.3:a:getcomposer:composer:1.10.3
Getcomposer » Composer » Version: 1.10.4

cpe:2.3:a:getcomposer:composer:1.10.4
Getcomposer » Composer » Version: 1.10.5

cpe:2.3:a:getcomposer:composer:1.10.5
Getcomposer » Composer » Version: 1.10.6

cpe:2.3:a:getcomposer:composer:1.10.6
Getcomposer » Composer » Version: 1.10.7

cpe:2.3:a:getcomposer:composer:1.10.7
Getcomposer » Composer » Version: 1.10.8

cpe:2.3:a:getcomposer:composer:1.10.8
Getcomposer » Composer » Version: 1.10.9

cpe:2.3:a:getcomposer:composer:1.10.9
Getcomposer » Composer » Version: 1.2.0

cpe:2.3:a:getcomposer:composer:1.2.0
Getcomposer » Composer » Version: 1.2.1

cpe:2.3:a:getcomposer:composer:1.2.1
Getcomposer » Composer » Version: 1.2.2

cpe:2.3:a:getcomposer:composer:1.2.2
Getcomposer » Composer » Version: 1.2.3

cpe:2.3:a:getcomposer:composer:1.2.3
Getcomposer » Composer » Version: 1.2.4

cpe:2.3:a:getcomposer:composer:1.2.4
Getcomposer » Composer » Version: 1.3.0

cpe:2.3:a:getcomposer:composer:1.3.0
Getcomposer » Composer » Version: 1.3.1

cpe:2.3:a:getcomposer:composer:1.3.1
Getcomposer » Composer » Version: 1.3.2

cpe:2.3:a:getcomposer:composer:1.3.2
Getcomposer » Composer » Version: 1.3.3

cpe:2.3:a:getcomposer:composer:1.3.3
Getcomposer » Composer » Version: 1.4.0

cpe:2.3:a:getcomposer:composer:1.4.0
Getcomposer » Composer » Version: 1.4.1

cpe:2.3:a:getcomposer:composer:1.4.1
Getcomposer » Composer » Version: 1.4.2

cpe:2.3:a:getcomposer:composer:1.4.2
Getcomposer » Composer » Version: 1.4.3

cpe:2.3:a:getcomposer:composer:1.4.3
Getcomposer » Composer » Version: 1.5.0

cpe:2.3:a:getcomposer:composer:1.5.0
Getcomposer » Composer » Version: 1.5.1

cpe:2.3:a:getcomposer:composer:1.5.1
Getcomposer » Composer » Version: 1.5.2

cpe:2.3:a:getcomposer:composer:1.5.2
Getcomposer » Composer » Version: 1.5.3

cpe:2.3:a:getcomposer:composer:1.5.3
Getcomposer » Composer » Version: 1.5.4

cpe:2.3:a:getcomposer:composer:1.5.4
Getcomposer » Composer » Version: 1.5.5

cpe:2.3:a:getcomposer:composer:1.5.5
Getcomposer » Composer » Version: 1.5.6

cpe:2.3:a:getcomposer:composer:1.5.6
Getcomposer » Composer » Version: 1.6.0

cpe:2.3:a:getcomposer:composer:1.6.0
Getcomposer » Composer » Version: 1.6.1

cpe:2.3:a:getcomposer:composer:1.6.1
Getcomposer » Composer » Version: 1.6.2

cpe:2.3:a:getcomposer:composer:1.6.2
Getcomposer » Composer » Version: 1.6.3

cpe:2.3:a:getcomposer:composer:1.6.3
Getcomposer » Composer » Version: 1.6.4

cpe:2.3:a:getcomposer:composer:1.6.4
Getcomposer » Composer » Version: 1.6.5

cpe:2.3:a:getcomposer:composer:1.6.5
Getcomposer » Composer » Version: 1.7.0

cpe:2.3:a:getcomposer:composer:1.7.0
Getcomposer » Composer » Version: 1.7.1

cpe:2.3:a:getcomposer:composer:1.7.1
Getcomposer » Composer » Version: 1.7.2

cpe:2.3:a:getcomposer:composer:1.7.2
Getcomposer » Composer » Version: 1.7.3

cpe:2.3:a:getcomposer:composer:1.7.3
Getcomposer » Composer » Version: 1.8.0

cpe:2.3:a:getcomposer:composer:1.8.0
Getcomposer » Composer » Version: 1.8.1

cpe:2.3:a:getcomposer:composer:1.8.1
Getcomposer » Composer » Version: 1.8.2

cpe:2.3:a:getcomposer:composer:1.8.2
Getcomposer » Composer » Version: 1.8.3

cpe:2.3:a:getcomposer:composer:1.8.3
Getcomposer » Composer » Version: 1.8.4

cpe:2.3:a:getcomposer:composer:1.8.4
Getcomposer » Composer » Version: 1.8.5

cpe:2.3:a:getcomposer:composer:1.8.5
Getcomposer » Composer » Version: 1.8.6

cpe:2.3:a:getcomposer:composer:1.8.6
Getcomposer » Composer » Version: 1.9.0

cpe:2.3:a:getcomposer:composer:1.9.0
Getcomposer » Composer » Version: 1.9.1

cpe:2.3:a:getcomposer:composer:1.9.1
Getcomposer » Composer » Version: 1.9.2

cpe:2.3:a:getcomposer:composer:1.9.2
Getcomposer » Composer » Version: 1.9.3

cpe:2.3:a:getcomposer:composer:1.9.3
Getcomposer » Composer » Version: 2.0.0

cpe:2.3:a:getcomposer:composer:2.0.0
Getcomposer » Composer » Version: 2.0.1

cpe:2.3:a:getcomposer:composer:2.0.1
Getcomposer » Composer » Version: 2.0.10

cpe:2.3:a:getcomposer:composer:2.0.10
Getcomposer » Composer » Version: 2.0.11

cpe:2.3:a:getcomposer:composer:2.0.11
Getcomposer » Composer » Version: 2.0.12

cpe:2.3:a:getcomposer:composer:2.0.12
Getcomposer » Composer » Version: 2.0.13

cpe:2.3:a:getcomposer:composer:2.0.13
Getcomposer » Composer » Version: 2.0.14

cpe:2.3:a:getcomposer:composer:2.0.14
Getcomposer » Composer » Version: 2.0.2

cpe:2.3:a:getcomposer:composer:2.0.2
Getcomposer » Composer » Version: 2.0.3

cpe:2.3:a:getcomposer:composer:2.0.3
Getcomposer » Composer » Version: 2.0.4

cpe:2.3:a:getcomposer:composer:2.0.4
Getcomposer » Composer » Version: 2.0.5

cpe:2.3:a:getcomposer:composer:2.0.5
Getcomposer » Composer » Version: 2.0.6

cpe:2.3:a:getcomposer:composer:2.0.6
Getcomposer » Composer » Version: 2.0.7

cpe:2.3:a:getcomposer:composer:2.0.7
Getcomposer » Composer » Version: 2.0.8

cpe:2.3:a:getcomposer:composer:2.0.8
Getcomposer » Composer » Version: 2.0.9

cpe:2.3:a:getcomposer:composer:2.0.9
Getcomposer » Composer » Version: 2.1.0

cpe:2.3:a:getcomposer:composer:2.1.0
Getcomposer » Composer » Version: 2.1.1

cpe:2.3:a:getcomposer:composer:2.1.1
Getcomposer » Composer » Version: 2.1.10

cpe:2.3:a:getcomposer:composer:2.1.10
Getcomposer » Composer » Version: 2.1.11

cpe:2.3:a:getcomposer:composer:2.1.11
Getcomposer » Composer » Version: 2.1.12

cpe:2.3:a:getcomposer:composer:2.1.12
Getcomposer » Composer » Version: 2.1.14

cpe:2.3:a:getcomposer:composer:2.1.14
Getcomposer » Composer » Version: 2.1.2

cpe:2.3:a:getcomposer:composer:2.1.2
Getcomposer » Composer » Version: 2.1.3

cpe:2.3:a:getcomposer:composer:2.1.3
Getcomposer » Composer » Version: 2.1.4

cpe:2.3:a:getcomposer:composer:2.1.4
Getcomposer » Composer » Version: 2.1.5

cpe:2.3:a:getcomposer:composer:2.1.5
Getcomposer » Composer » Version: 2.1.6

cpe:2.3:a:getcomposer:composer:2.1.6
Getcomposer » Composer » Version: 2.1.7

cpe:2.3:a:getcomposer:composer:2.1.7
Getcomposer » Composer » Version: 2.1.8

cpe:2.3:a:getcomposer:composer:2.1.8
Getcomposer » Composer » Version: 2.1.9

cpe:2.3:a:getcomposer:composer:2.1.9
Getcomposer » Composer » Version: 2.2.0

cpe:2.3:a:getcomposer:composer:2.2.0
Getcomposer » Composer » Version: 2.2.1

cpe:2.3:a:getcomposer:composer:2.2.1
Getcomposer » Composer » Version: 2.2.10

cpe:2.3:a:getcomposer:composer:2.2.10
Getcomposer » Composer » Version: 2.2.11

cpe:2.3:a:getcomposer:composer:2.2.11
Getcomposer » Composer » Version: 2.2.12

cpe:2.3:a:getcomposer:composer:2.2.12
Getcomposer » Composer » Version: 2.2.13

cpe:2.3:a:getcomposer:composer:2.2.13
Getcomposer » Composer » Version: 2.2.14

cpe:2.3:a:getcomposer:composer:2.2.14
Getcomposer » Composer » Version: 2.2.15

cpe:2.3:a:getcomposer:composer:2.2.15
Getcomposer » Composer » Version: 2.2.16

cpe:2.3:a:getcomposer:composer:2.2.16
Getcomposer » Composer » Version: 2.2.17

cpe:2.3:a:getcomposer:composer:2.2.17
Getcomposer » Composer » Version: 2.2.18

cpe:2.3:a:getcomposer:composer:2.2.18
Getcomposer » Composer » Version: 2.2.19

cpe:2.3:a:getcomposer:composer:2.2.19
Getcomposer » Composer » Version: 2.2.2

cpe:2.3:a:getcomposer:composer:2.2.2
Getcomposer » Composer » Version: 2.2.20

cpe:2.3:a:getcomposer:composer:2.2.20
Getcomposer » Composer » Version: 2.2.21

cpe:2.3:a:getcomposer:composer:2.2.21
Getcomposer » Composer » Version: 2.2.22

cpe:2.3:a:getcomposer:composer:2.2.22
Getcomposer » Composer » Version: 2.2.23

cpe:2.3:a:getcomposer:composer:2.2.23
Getcomposer » Composer » Version: 2.2.24

cpe:2.3:a:getcomposer:composer:2.2.24
Getcomposer » Composer » Version: 2.2.25

cpe:2.3:a:getcomposer:composer:2.2.25
Getcomposer » Composer » Version: 2.2.26

cpe:2.3:a:getcomposer:composer:2.2.26
Getcomposer » Composer » Version: 2.2.3

cpe:2.3:a:getcomposer:composer:2.2.3
Getcomposer » Composer » Version: 2.2.4

cpe:2.3:a:getcomposer:composer:2.2.4
Getcomposer » Composer » Version: 2.2.5

cpe:2.3:a:getcomposer:composer:2.2.5
Getcomposer » Composer » Version: 2.2.6

cpe:2.3:a:getcomposer:composer:2.2.6
Getcomposer » Composer » Version: 2.2.7

cpe:2.3:a:getcomposer:composer:2.2.7
Getcomposer » Composer » Version: 2.2.8

cpe:2.3:a:getcomposer:composer:2.2.8
Getcomposer » Composer » Version: 2.2.9

cpe:2.3:a:getcomposer:composer:2.2.9
Getcomposer » Composer » Version: 2.3.0

cpe:2.3:a:getcomposer:composer:2.3.0
Getcomposer » Composer » Version: 2.3.1

cpe:2.3:a:getcomposer:composer:2.3.1
Getcomposer » Composer » Version: 2.3.10

cpe:2.3:a:getcomposer:composer:2.3.10
Getcomposer » Composer » Version: 2.3.2

cpe:2.3:a:getcomposer:composer:2.3.2
Getcomposer » Composer » Version: 2.3.3

cpe:2.3:a:getcomposer:composer:2.3.3
Getcomposer » Composer » Version: 2.3.4

cpe:2.3:a:getcomposer:composer:2.3.4
Getcomposer » Composer » Version: 2.3.5

cpe:2.3:a:getcomposer:composer:2.3.5
Getcomposer » Composer » Version: 2.3.6

cpe:2.3:a:getcomposer:composer:2.3.6
Getcomposer » Composer » Version: 2.3.7

cpe:2.3:a:getcomposer:composer:2.3.7
Getcomposer » Composer » Version: 2.3.8

cpe:2.3:a:getcomposer:composer:2.3.8
Getcomposer » Composer » Version: 2.3.9

cpe:2.3:a:getcomposer:composer:2.3.9
Getcomposer » Composer » Version: 2.4.0

cpe:2.3:a:getcomposer:composer:2.4.0
Getcomposer » Composer » Version: 2.4.1

cpe:2.3:a:getcomposer:composer:2.4.1
Getcomposer » Composer » Version: 2.4.2

cpe:2.3:a:getcomposer:composer:2.4.2
Getcomposer » Composer » Version: 2.4.3

cpe:2.3:a:getcomposer:composer:2.4.3
Getcomposer » Composer » Version: 2.4.4

cpe:2.3:a:getcomposer:composer:2.4.4
Getcomposer » Composer » Version: 2.5.0

cpe:2.3:a:getcomposer:composer:2.5.0
Getcomposer » Composer » Version: 2.5.1

cpe:2.3:a:getcomposer:composer:2.5.1
Getcomposer » Composer » Version: 2.5.2

cpe:2.3:a:getcomposer:composer:2.5.2
Getcomposer » Composer » Version: 2.5.3

cpe:2.3:a:getcomposer:composer:2.5.3
Getcomposer » Composer » Version: 2.5.4

cpe:2.3:a:getcomposer:composer:2.5.4
Getcomposer » Composer » Version: 2.5.5

cpe:2.3:a:getcomposer:composer:2.5.5
Getcomposer » Composer » Version: 2.5.6

cpe:2.3:a:getcomposer:composer:2.5.6
Getcomposer » Composer » Version: 2.5.7

cpe:2.3:a:getcomposer:composer:2.5.7
Getcomposer » Composer » Version: 2.5.8

cpe:2.3:a:getcomposer:composer:2.5.8
Getcomposer » Composer » Version: 2.6.0

cpe:2.3:a:getcomposer:composer:2.6.0
Getcomposer » Composer » Version: 2.6.1

cpe:2.3:a:getcomposer:composer:2.6.1
Getcomposer » Composer » Version: 2.6.2

cpe:2.3:a:getcomposer:composer:2.6.2
Getcomposer » Composer » Version: 2.6.3

cpe:2.3:a:getcomposer:composer:2.6.3
Getcomposer » Composer » Version: 2.6.4

cpe:2.3:a:getcomposer:composer:2.6.4
Getcomposer » Composer » Version: 2.7.0

cpe:2.3:a:getcomposer:composer:2.7.0
Getcomposer » Composer » Version: 2.7.1

cpe:2.3:a:getcomposer:composer:2.7.1
Getcomposer » Composer » Version: 2.7.2

cpe:2.3:a:getcomposer:composer:2.7.2
Getcomposer » Composer » Version: 2.7.3

cpe:2.3:a:getcomposer:composer:2.7.3
Getcomposer » Composer » Version: 2.7.4

cpe:2.3:a:getcomposer:composer:2.7.4
Getcomposer » Composer » Version: 2.7.5

cpe:2.3:a:getcomposer:composer:2.7.5
Getcomposer » Composer » Version: 2.7.6

cpe:2.3:a:getcomposer:composer:2.7.6
Getcomposer » Composer » Version: 2.7.7

cpe:2.3:a:getcomposer:composer:2.7.7
Getcomposer » Composer » Version: 2.7.8

cpe:2.3:a:getcomposer:composer:2.7.8
Getcomposer » Composer » Version: 2.7.9

cpe:2.3:a:getcomposer:composer:2.7.9
Getcomposer » Composer » Version: 2.8.0

cpe:2.3:a:getcomposer:composer:2.8.0
Getcomposer » Composer » Version: 2.8.1

cpe:2.3:a:getcomposer:composer:2.8.1
Getcomposer » Composer » Version: 2.8.10

cpe:2.3:a:getcomposer:composer:2.8.10
Getcomposer » Composer » Version: 2.8.11

cpe:2.3:a:getcomposer:composer:2.8.11
Getcomposer » Composer » Version: 2.8.12

cpe:2.3:a:getcomposer:composer:2.8.12
Getcomposer » Composer » Version: 2.8.2

cpe:2.3:a:getcomposer:composer:2.8.2
Getcomposer » Composer » Version: 2.8.3

cpe:2.3:a:getcomposer:composer:2.8.3
Getcomposer » Composer » Version: 2.8.4

cpe:2.3:a:getcomposer:composer:2.8.4
Getcomposer » Composer » Version: 2.8.5

cpe:2.3:a:getcomposer:composer:2.8.5
Getcomposer » Composer » Version: 2.8.6

cpe:2.3:a:getcomposer:composer:2.8.6
Getcomposer » Composer » Version: 2.8.7

cpe:2.3:a:getcomposer:composer:2.8.7
Getcomposer » Composer » Version: 2.8.8

cpe:2.3:a:getcomposer:composer:2.8.8
Getcomposer » Composer » Version: 2.8.9

cpe:2.3:a:getcomposer:composer:2.8.9
Getcomposer » Composer » Version: 2.9.0

cpe:2.3:a:getcomposer:composer:2.9.0
Getcomposer » Composer » Version: 2.9.1

cpe:2.3:a:getcomposer:composer:2.9.1
Getcomposer » Composer » Version: 2.9.2

cpe:2.3:a:getcomposer:composer:2.9.2
Getcomposer » Composer » Version: 2.9.3

cpe:2.3:a:getcomposer:composer:2.9.3
Getcomposer » Composer » Version: 2.9.4

cpe:2.3:a:getcomposer:composer:2.9.4
Getcomposer » Composer » Version: 2.9.5

cpe:2.3:a:getcomposer:composer:2.9.5

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-40176

Products

Pricing

Contact Us