If you manage a Flarum forum or any PHP project on shared hosting (like Hostinger), you might have heard about the critical security bugs (CVE-2026-40261 and CVE-2026-40176) discovered in April/May 2026. Security: Fixed GitHub token validation and disclosure (GHSA-f9f8-rm49-7jv2)
These “supply-chain” vulnerabilities allow attackers to execute malicious code on your server through compromised package metadata. Most shared hosts are still running Composer version 2.8.x, which is vulnerable. Since you don’t have “root” access to update the system composer, you have to take matters into your own hands.
Here is how I secured my environment and updated to Composer 2.9.8 (the patched version) on my shared hosting account.
The Problem: Outdated System Composer
Most shared hosts manage Composer globally. If you run composer --version and see anything lower than 2.9.6 or 2.2.27 (LTS), your site is at risk. Even if you try to run composer self-update, the server will likely give you a “Permission Denied” error.
The Solution: A Local Secure Binary
We will install a private, secure version of Composer in your Home Root directory and tell the server to use it instead of the old one.
Step 1: Install the Patched Composer
Login to your server via SSH and navigate to your main home directory (not public_html, but one level above it):
cd ~
php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
php composer-setup.php
php -r "unlink('composer-setup.php');"This downloads a file called composer.phar. This is the “brain” of the latest, secure Composer version.
Step 2: Create a Global Alias
To avoid typing php ~/composer.phar every time, we create an alias. This ensures that every time you type composer, the server uses your secure file.
Make sure you’ve uploaded the composer.phar file to home directory of your shared hosting account ( /home/u-userid/ )
- Open your bash configuration: nano ~/.bashrc
- Add this line at the bottom: alias composer=’php ~/composer.phar’
- Save and reload: source ~/.bashrc
Step 3: Verify the Fix
Now, check your version again: composer –version
You should see Composer version 2.9.8 (or higher). You are now protected!
Important: The “Security Block” Error
Once you update, you might see an error when running composer update that looks like this:
“…found [package] but these were not loaded, because they are affected by security advisories…”
Don’t panic! This means the fix is working. The new Composer is automatically auditing your extensions and blocking you from installing plugins with known bugs (like recent vulnerabilities found in fof/pretty-mail).
What to do if a package is blocked:
- Best: Update the package to a version that isn’t on the advisory list.
- Alternative: If you trust the package and want to bypass the block, use:
composer config audit.ignore [ADVISORY-ID]
Summary
By keeping a local composer.phar in your home path, you stay ahead of hosting provider update delays. It’s the single most effective way to protect your Flarum or Laravel sites from being the “weak link” in a supply-chain attack.
Stay secure!
