[HIGH] Command injection via malicious Perforce repository definition

PKSA-6bp1-9hfj-2cgv CVE-2026-40176 GHSA-wg36-wvj6-r67p

Affected package: composer/composer

Affected version: >=2.3,<2.9.6|>=1.0,<2.2.27

Reported by:
FriendsOfPHP/security-advisories, GitHub