Vulnerability-Lookup

OPENSUSE-SU-2026:10643-1

Vulnerability from csaf_opensuse - Published: 2026-04-28 00:00 - Updated: 2026-04-28 00:00

Summary

php-composer2-2.9.7-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: php-composer2-2.9.7-1.1 on GA media

Description of the patch: These are all security issues fixed in the php-composer2-2.9.7-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2026-10643

CVE-2026-40176

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

CVE-2026-40261

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vendor Fix To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".

References

URL

Category

	https://www.suse.com/support/security/rating/	external
	https://ftp.suse.com/pub/projects/security/csaf/o…	self
	https://www.suse.com/security/cve/CVE-2026-40176/	self
	https://www.suse.com/security/cve/CVE-2026-40261/	self
	https://www.suse.com/security/cve/CVE-2026-40176	external
	https://bugzilla.suse.com/1262254	external
	https://www.suse.com/security/cve/CVE-2026-40261	external
	https://bugzilla.suse.com/1262255	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "php-composer2-2.9.7-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the php-composer2-2.9.7-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2026-10643",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10643-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-40176 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-40176/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2026-40261 page",
        "url": "https://www.suse.com/security/cve/CVE-2026-40261/"
      }
    ],
    "title": "php-composer2-2.9.7-1.1 on GA media",
    "tracking": {
      "current_release_date": "2026-04-28T00:00:00Z",
      "generator": {
        "date": "2026-04-28T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2026:10643-1",
      "initial_release_date": "2026-04-28T00:00:00Z",
      "revision_history": [
        {
          "date": "2026-04-28T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-composer2-2.9.7-1.1.aarch64",
                "product": {
                  "name": "php-composer2-2.9.7-1.1.aarch64",
                  "product_id": "php-composer2-2.9.7-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-composer2-2.9.7-1.1.ppc64le",
                "product": {
                  "name": "php-composer2-2.9.7-1.1.ppc64le",
                  "product_id": "php-composer2-2.9.7-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-composer2-2.9.7-1.1.s390x",
                "product": {
                  "name": "php-composer2-2.9.7-1.1.s390x",
                  "product_id": "php-composer2-2.9.7-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "php-composer2-2.9.7-1.1.x86_64",
                "product": {
                  "name": "php-composer2-2.9.7-1.1.x86_64",
                  "product_id": "php-composer2-2.9.7-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.9.7-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.aarch64"
        },
        "product_reference": "php-composer2-2.9.7-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.9.7-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.ppc64le"
        },
        "product_reference": "php-composer2-2.9.7-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.9.7-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.s390x"
        },
        "product_reference": "php-composer2-2.9.7-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "php-composer2-2.9.7-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.x86_64"
        },
        "product_reference": "php-composer2-2.9.7-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-40176",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-40176"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.aarch64",
          "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.ppc64le",
          "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.s390x",
          "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-40176",
          "url": "https://www.suse.com/security/cve/CVE-2026-40176"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262254 for CVE-2026-40176",
          "url": "https://bugzilla.suse.com/1262254"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.aarch64",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.ppc64le",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.s390x",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.aarch64",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.ppc64le",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.s390x",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-28T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-40176"
    },
    {
      "cve": "CVE-2026-40261",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2026-40261"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.aarch64",
          "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.ppc64le",
          "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.s390x",
          "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2026-40261",
          "url": "https://www.suse.com/security/cve/CVE-2026-40261"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1262255 for CVE-2026-40261",
          "url": "https://bugzilla.suse.com/1262255"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.aarch64",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.ppc64le",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.s390x",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.aarch64",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.ppc64le",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.s390x",
            "openSUSE Tumbleweed:php-composer2-2.9.7-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2026-04-28T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2026-40261"
    }
  ]
}

CVE-2026-40176 (GCVE-0-2026-40176)

Vulnerability from cvelistv5 – Published: 2026-04-15 20:47 – Updated: 2026-04-16 14:16

Title

Composer is vulnerable to Command Injection via Malicious Perforce Repository

Summary

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-20 - Improper Input Validation
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	composer	composer	Affected: >= 2.3, < 2.9.6 Affected: >= 1.0, < 2.2.27

CVE-2026-40261 (GCVE-0-2026-40261)

Vulnerability from cvelistv5 – Published: 2026-04-15 20:56 – Updated: 2026-04-16 13:41

Title

Composer has Command Injection via Malicious Perforce Reference

Summary

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-20 - Improper Input Validation

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	composer	composer	Affected: >= 2.3.0, < 2.9.6 Affected: >= 1.0.0, < 2.2.27

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

OPENSUSE-SU-2026:10643-1

CVE-2026-40176 (GCVE-0-2026-40176)

CVE-2026-40261 (GCVE-0-2026-40261)

Tags

Sightings

Nomenclature