Setup PHP: Command Injection in Repository-Derived PHP Version Resolution

Summary A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, setup-php may read the PHP version from: - .php-versio...

CVE-2026-40176

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command method, which constructs shell commands by interpolating user-supplied Perforce connection parameters port, user, client without...

Composer has a command injection via malicious perforce repository

Impact The Perforce::generateP4Command method constructed shell commands by interpolating user-supplied Perforce connection parameters port, user, client without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository...

Command injection via malicious Perforce repository definition

Impact The Perforce::generateP4Command method constructed shell commands by interpolating user-supplied Perforce connection parameters port, user, client without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository...

GHSA-9RXP-F27P-WV3H CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files

Summary The Fileeditor controller defines a hiddenItems array containing security-sensitive paths .env, composer.json, vendor/, .git/ but only enforces this protection in the listFiles method. The readFile, saveFile, deleteFileOrFolder, renameFile, createFile, and createFolder endpoints perform n...

CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Protected Files

Summary The Fileeditor controller defines a hiddenItems array containing security-sensitive paths .env, composer.json, vendor/, .git/ but only enforces this protection in the listFiles method. The readFile, saveFile, deleteFileOrFolder, renameFile, createFile, and createFolder endpoints perform n...

CVE-2025-9552

Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules:...

CVE-2025-9552

CVE-2025-9552 concerns the Drupal module Synchronize composer.Json With Contrib Modules . Public descriptions in connected documents indicate a vulnerability affecting the module in general (versions not specified). The NVD/NVD-derived metrics show a CVSS 3.1 base score of 5.3 (Medium) with an at...

CVE-2025-9552 Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102

Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules:...

CVE-2025-9552 Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102

Vulnerability in Drupal Synchronize composer.Json With Contrib Modules.This issue affects Synchronize composer.Json With Contrib Modules:...

Synchronize composer.json With Contrib Modules - Critical - Unsupported - SA-CONTRIB-2025-102

The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: https://www.drupal.org/node/251466s-becoming-owner-maintainer-or-co-mai...