Close Menu
    What's Hot

    Nations Championship: England rugby players to avoid wearing national shirts in Argentina as football counterparts face off at World Cup | Rugby Union News

    Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware

    He Has a $25 Million Bounty on His Head, But Is Also a U.S. Partner in Venezuela.

    Facebook X (Twitter) Instagram
    Trending
    • Nations Championship: England rugby players to avoid wearing national shirts in Argentina as football counterparts face off at World Cup | Rugby Union News
    • Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware
    • He Has a $25 Million Bounty on His Head, But Is Also a U.S. Partner in Venezuela.
    • Travel Tips: How to Wait in Line (and Keep Your Cool)
    • Are Chanel Ballet Flats Now the Birkins of the Foot?
    • Trump’s Latest Nominee for C.D.C. Director Will Face Senate Panel
    • Opinion | ‘It’s Chaos’: What New York’s Suburbs Can Tell Us About the Mood of the Country
    • Opinion | How I Stayed Sane as a World Cup Goalkeeper
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

    adminBy adminApril 14, 2026No Comments2 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananApr 14, 2026Vulnerability / DevSecOps

    New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

    Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution.

    The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below –

    • CVE-2026-40176 (CVSS score: 7.8) – An improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer.
    • CVE-2026-40261 (CVSS score: 8.8) – An improper input validation vulnerability stemming from inadequate escaping that could allow an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.

    In both cases, Composer would execute these injected commands even if Perforce VCS is not installed, the maintainers noted in an advisory.

    Cybersecurity

    The vulnerabilities affect the following versions –

    • >= 2.3, < 2.9.6 (Fixed in version 2.9.6)
    • >= 2.0, < 2.2.27 (Fixed in version 2.2.27)

    If immediate patching is not an option, it’s advised to inspect composer.json files before running Composer and verify that Perforce-related fields contain valid values. It’s also recommended to only use trusted Composer repositories, run Composer commands on projects from trusted sources, and avoid installing dependencies using the “–prefer-dist” or the “preferred-install: dist” configuration setting.

    Composer said it scanned Packagist.org and did not find any evidence of the aforementioned vulnerabilities being exploited by threat actors by publishing packages with malicious Perforce information. A new release is expected to be shipped for Private Packagist Self-Hosted customers.

    “As a precaution, publication of Perforce source metadata has been disabled on Packagist.org since Friday, April 10th, 2026,” it said. “Composer installations should be updated immediately regardless.”

    Arbitrary Command Composer Enable Execution Flaws Patches PHP Released
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleWC army deployment — a plaster on gang gunshot wounds
    Next Article Prime Video is bundling Apple TV Plus and Peacock for a limited time
    admin
    • Website

    Related Posts

    Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware

    July 15, 2026

    Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands

    July 15, 2026

    OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials

    July 15, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Nations Championship: England rugby players to avoid wearing national shirts in Argentina as football counterparts face off at World Cup | Rugby Union News

    Compromised AsyncAPI npm Packages Deliver Multi-Stage Botnet Malware

    He Has a $25 Million Bounty on His Head, But Is Also a U.S. Partner in Venezuela.

    Travel Tips: How to Wait in Line (and Keep Your Cool)

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by