SCA: security update for composer/composer (GHSA-gqw4-4w2p-838q)

high Tenable Cloud Security Plugin ID 440409

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a
command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference
parameter to a shell command without proper escaping, and additionally in the
Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-
supplied Perforce connection parameters (port, user, client) from the source url field without proper
escaping. An attacker can inject arbitrary commands through crafted source reference or source url values
containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source
reference and url are provided as part of package metadata, meaning any compromised or malicious Composer
repository can serve package metadata declaring perforce as a source type with malicious values. This
vulnerability is exploitable when installing or updating dependencies from source, including the default
behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and
2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies
from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted
Composer repositories as a workaround. (CVE-2026-40261)

Solution

Update the composer/composer library and its related packages to version 2.2.27 or later.

See Also

https://github.com/advisories/GHSA-gqw4-4w2p-838q

Plugin Details

Severity: High

ID: 440409

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 4/15/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: High

Score: 7.6

Percentile: 98.46

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-40261

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/14/2026

Vulnerability Publication Date: 4/14/2026

Reference Information

CVE: CVE-2026-40261