Alpine: multiple composer packages: security update to 2.9.6-r0

high Tenable Cloud Security Plugin ID 440341

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a
command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell
commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper
escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json
declaring a Perforce VCS repository, leading to command execution in the context of the user running
Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json
or the composer config directory, so this cannot be exploited through composer.json files of packages
installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with
attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6
(mainline). (CVE-2026-40176)

- Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a
command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference
parameter to a shell command without proper escaping, and additionally in the
Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-
supplied Perforce connection parameters (port, user, client) from the source url field without proper
escaping. An attacker can inject arbitrary commands through crafted source reference or source url values
containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source
reference and url are provided as part of package metadata, meaning any compromised or malicious Composer
repository can serve package metadata declaring perforce as a source type with malicious values. This
vulnerability is exploitable when installing or updating dependencies from source, including the default
behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and
2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies
from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted
Composer repositories as a workaround. (CVE-2026-40261)

Solution

Update the composer library and its related packages to version 2.9.6-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-40176

https://security.alpinelinux.org/vuln/CVE-2026-40261

Plugin Details

Severity: High

ID: 440341

Version: Revision 1.7

Type: Local

Published: 4/14/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.46

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2026-40261

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Reference Information

CVE: CVE-2026-40176, CVE-2026-40261