GHSA-GQW4-4W2P-838Q Composer has a command injection via malicious perforce reference

Impact The Perforce::syncCodeBase method appended the $sourceReference parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters. Further as in GHSA-wg36-wvj6-r67p / CVE-2026-40176 the...

The vulnerability of the Branch Name Handler component of the PHP Composer dependency manager allows a attacker to execute arbitrary commands.

The vulnerability of the Branch Name Handler component in the PHP Composer dependency manager is related to the use of the composer install command executed within the git/hg repository. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands...

CVE-2024-35242 Composer vulnerable to command injection via malicious git/hg branch names

Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are availab...