{"uuid": "7fc6e23a-3fce-4e51-b835-abceb24329be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-40261", "type": "seen", "source": "https://bsky.app/profile/canartuc.com/post/3mknjafwaxg2f", "content": "Composer (PHP package manager) shipped 2.9.6 in April with two command-injection fixes in its Perforce driver. CVE-2026-40261, severity 8.8. A malicious composer.json runs the shell whether or not Perforce is installed. Most CI teams keep no audit trail.\n\n#PHP #CyberSecurity #DevOps", "creation_timestamp": "2026-04-29T16:25:46.239382Z"}