Php

Composer Command Injection (CVE-2026-40261, CVE-2026-40176): Any Malicious Repository Can Execute Code on Your Build Machines

Two high-severity command injection flaws in PHP's Composer package manager allow arbitrary command execution via malicious repository metadata — no Perforce installation required for the worst one.