{
  "threat_severity" : "Important",
  "public_date" : "2026-04-15T20:56:32Z",
  "bugzilla" : {
    "description" : "composer: command injection via malicious Perforce source reference/url",
    "id" : "2458841",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2458841"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-78",
  "details" : [ "A flaw was found in Composer. `Perforce::syncCodeBase()` appends the `$sourceReference` parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters." ],
  "statement" : "This issue can be exploited via any package served by a compromised or malicious Composer repository when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. Exploitation results in arbitrary command execution. Due to these reasons, this flaw has been rated with an important severity.",
  "affected_release" : [ {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-14T00:00:00Z",
    "advisory" : "RHSA-2026:8165",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "composer-main-2.9.7-1.hum1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40261\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40261\nhttps://github.com/composer/composer/releases/tag/2.9.6\nhttps://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q" ],
  "name" : "CVE-2026-40261",
  "mitigation" : {
    "value" : "To mitigate this issue, only run Composer commands on projects and dependencies from trusted sources. Also, use the '--prefer-dist' or the 'preferred-install: dist' configuration setting to prevent Composer from installing dependencies from source.",
    "lang" : "en:us"
  },
  "csaw" : false
}