Close Menu
    What's Hot

    A Year After DOGE Cuts, Social Security Is Trying to Stabilize

    OpenAI Staffers Are Funding a Rival Super PAC to Take on Their Boss

    What’s the difference between artificial intelligence and synthetic intelligence —and why does it matter?

    Facebook X (Twitter) Instagram
    Trending
    • A Year After DOGE Cuts, Social Security Is Trying to Stabilize
    • OpenAI Staffers Are Funding a Rival Super PAC to Take on Their Boss
    • What’s the difference between artificial intelligence and synthetic intelligence —and why does it matter?
    • ICE Shootings Put Spotlight on Lack of Body Cameras
    • US attacks Iran as IRGC claims strikes on US military sites in Gulf | US-Israel war on Iran News
    • Iran War Live Updates: Fears of Return to Full-Scale Conflict As Strikes Intensify
    • OpenAI pushes back on Apple trade secret lawsuit
    • What Trump’s New Iran Blockade Could Mean for Oil Prices
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

    adminBy adminApril 14, 2026No Comments2 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananApr 14, 2026Vulnerability / DevSecOps

    New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

    Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution.

    The vulnerabilities have been described as command injection flaws affecting the Perforce VCS (version control software) driver. Details of the two flaws are below –

    • CVE-2026-40176 (CVSS score: 7.8) – An improper input validation vulnerability that could allow an attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository to inject arbitrary commands, resulting in command execution in the context of the user running Composer.
    • CVE-2026-40261 (CVSS score: 8.8) – An improper input validation vulnerability stemming from inadequate escaping that could allow an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.

    In both cases, Composer would execute these injected commands even if Perforce VCS is not installed, the maintainers noted in an advisory.

    Cybersecurity

    The vulnerabilities affect the following versions –

    • >= 2.3, < 2.9.6 (Fixed in version 2.9.6)
    • >= 2.0, < 2.2.27 (Fixed in version 2.2.27)

    If immediate patching is not an option, it’s advised to inspect composer.json files before running Composer and verify that Perforce-related fields contain valid values. It’s also recommended to only use trusted Composer repositories, run Composer commands on projects from trusted sources, and avoid installing dependencies using the “–prefer-dist” or the “preferred-install: dist” configuration setting.

    Composer said it scanned Packagist.org and did not find any evidence of the aforementioned vulnerabilities being exploited by threat actors by publishing packages with malicious Perforce information. A new release is expected to be shipped for Private Packagist Self-Hosted customers.

    “As a precaution, publication of Perforce source metadata has been disabled on Packagist.org since Friday, April 10th, 2026,” it said. “Composer installations should be updated immediately regardless.”

    Arbitrary Command Composer Enable Execution Flaws Patches PHP Released
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleWC army deployment — a plaster on gang gunshot wounds
    Next Article Prime Video is bundling Apple TV Plus and Peacock for a limited time
    admin
    • Website

    Related Posts

    Two SonicWall SMA 1000 Zero-Days Exploited, One Could Enable Admin Commands

    July 15, 2026

    OAuth Client ID Spoofing Lets Attackers Validate Stolen Microsoft Entra Credentials

    July 15, 2026

    How Pentera Turns AI Security Workflows into Validation Engines

    July 15, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    A Year After DOGE Cuts, Social Security Is Trying to Stabilize

    OpenAI Staffers Are Funding a Rival Super PAC to Take on Their Boss

    What’s the difference between artificial intelligence and synthetic intelligence —and why does it matter?

    ICE Shootings Put Spotlight on Lack of Body Cameras

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by