php

Two Composer Command Injection Flaws Let Attackers Run Arbitrary Code - Even Without Perforce

CVE-2026-40176 and CVE-2026-40261 affect all Composer 2.x versions. A malicious composer.json or crafted package metadata can execute OS commands on your machine. Upgrade to 2.9.6 now.