Alerts This Week
Warning Icon 1 619
Alerts This Week
Warning Icon 1 619

Fedora 44 Composer Security Advisory CVE-2026-40176 Command Injection Issue

fedora
Calendar Grey April 25, 2026
Dist Fedora Esm H88
Composer 2.9.7 for Fedora 44 fixes critical issues, including command injection vulnerabilities. Update recommended now.
Version 2.9.7 - 2026-04-14 Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802) Version 2.9.6 - 2026-04-14 Security: Fi...

Summary

Composer helps you declare, manage and install dependencies of PHP projects,

ensuring you have the right stack everywhere.

Documentation: https://getcomposer.org/doc/

Update Information:

Version 2.9.7 - 2026-04-14 Fixes regression calling custom script command aliases that are called a substring of a composer command (#12802) Version 2.9.6 - 2026-04-14 Security: Fixed command injection via malicious Perforce reference (GHSA- gqw4-4w2p-838q / CVE-2026-40261) Security: Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176) Security: Fixed git credentials remaining in git mirror .git/config after clone or update failed (2bcbfc3d) Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (5e71d77e) Security: Fixed Perforce unescaped user input in queryP4User shell command (ef3fc088) Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do not cause issues (6621d45, d836b90, 5e08c764) Fixed inconsistent treatment of SingleCommandApplication script commands wrt autoloading (#12758) Fixed GitHub API authentication errors not being visible t...

Topics%20covered

Topics Covered

security advisory fedora php important command injection dependency manager

Change Log

* Tue Apr 14 2026 Remi Collet - 2.9.7-1 - update to 2.9.7 * Tue Apr 14 2026 Remi Collet - 2.9.6-1 - update to 2.9.6

References


[ 1 ] Bug #2459009 - CVE-2026-40261 composer: command injection via malicious Perforce source reference/url [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459009 [ 2 ] Bug #2459011 - CVE-2026-40176 composer: command injection via malicious Perforce repository definition [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2459011

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-1140c02041' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: composer
Product: Fedora 44
Version: 2.9.7
Release: 1.fc44
URL: https://getcomposer.org/
Summary: Dependency Manager for PHP

Topics%20covered

Topics Covered

security advisory fedora php important command injection dependency manager

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Related News

Your message here