Composer has a command injection via malicious perforce repository

Impact The Perforce::generateP4Command method constructed shell commands by interpolating user-supplied Perforce connection parameters port, user, client without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository...

GHSA-GQW4-4W2P-838Q Composer has a command injection via malicious perforce reference

Impact The Perforce::syncCodeBase method appended the $sourceReference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the...

Command Injection

Overview composer/composer is a Dependency Manager for PHP. Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere. Affected versions of this package are vulnerable to Command Injection via the Perforce::syncCodeBase and...

Composer has a command injection via malicious perforce reference

Impact The Perforce::syncCodeBase method appended the $sourceReference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the...

New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

Two high-severity security vulnerabilities have been disclosed in Composer, a package manager for PHP, that, if successfully exploited, could result in arbitrary command execution. The vulnerabilities have been described as command injection flaws affecting the Perforce VCS version control softwa...

Command injection via malicious Perforce source reference/url

Impact The Perforce::syncCodeBase method appended the $sourceReference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the...

Command injection via malicious Perforce repository definition

Impact The Perforce::generateP4Command method constructed shell commands by interpolating user-supplied Perforce connection parameters port, user, client without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository...

PT-2026-32621

Name of the Vulnerable Software and Affected Versions Composer versions 1.0 through 2.2.26 Composer versions 2.3 through 2.9.5 Description A command injection issue exists in the Perforce VCS driver of Composer, a dependency manager for PHP. The Perforce::generateP4Command function constructs she...

PT-2026-32622

Name of the Vulnerable Software and Affected Versions Composer versions 1.0 through 2.2.26 Composer versions 2.3 through 2.9.5 Description Command injection is possible in the PHP dependency manager Composer. The Perforce::syncCodeBase function appends the $sourceReference parameter to a shell...

PHP Composer -- Multiple vulnerabilities

Composer project reports: Fixed command injection via malicious Perforce reference GHSA-gqw4-4w2p-838q / CVE-2026-40261 Fixed command injection via malicious Perforce repository definition GHSA-wg36-wvj6-r67p / CVE-2026-40176...

CVE-2018-1000145

An exposure of sensitive information vulnerability exists in Jenkins Perforce Plugin version 1.3.36 and older in PerforcePasswordEncryptor.java that allows attackers with local file system access to obtain encrypted Perforce passwords and decrypt them...

CVE-2010-0934

The triggers functionality in Perforce Server 2008.1 allows remote authenticated users with super privileges to execute arbitrary operating-system commands by using a "p4 client" command in conjunction with the form-in trigger script...

CVE-2010-0932

The FTP server in Perforce Server 2008.1 allows remote attackers to cause a denial of service NULL pointer dereference and daemon crash via a certain MKD command...

CVE-2010-0933

Directory traversal vulnerability in Perforce Server 2008.1 allows remote authenticated users to create arbitrary files via a .. dot dot in the argument to the "p4 add" command...

CVE-2010-0935

Perforce Server 2009.2 and earlier, when the protection table is empty, allows remote authenticated users to obtain super privileges via a "p4 protect" command...

CVE-2021-28973

The XML Import functionality of the Administration console in Perforce Helix ALM 2020.3.1 Build 22 accepts XML input data that is parsed by insecurely configured software components, leading to XXE attacks...

CVE-2025-68164

In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test...

CVE-2025-68164

In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test...

CVE-2025-68164

In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test...

CVE-2025-68164

JetBrains TeamCity is affected when running versions prior to 2025.11.0. CVE-2025-68164 allows port enumeration via the Perforce connection test. The issue is described as a low-severity, network-accessible condition (CVSS 3.1: 2.7; confidentiality impact Low; privileges required High; user inter...