Packagist Supply Chain Attack Infects 8 Packages Using GitHub-Hosted Linux Malware

A new "coordinated" supply chain attack campaign has impacted eight packages on Packagist including malicious code designed to run a Linux binary retrieved from a GitHub Releases URL. "Although the affected packages were all Composer packages, the malicious code was not added to composer.json,"...

EUVD-2025-200275

Mautic user without privileged access to the Marketplace can install and uninstall composer packages...

Mautic user without privileged access to the Marketplace can install and uninstall composer packages

Summary A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. Impact A low-privileged user of the platform can install malicious code to obtain higher privilege...

GHSA-3FQ7-C5M8-G86X Mautic user without privileged access to the Marketplace can install and uninstall composer packages

Summary A non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. Impact A low-privileged user of the platform can install malicious code to obtain higher privilege...

CVE-2025-13828

SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges...

CVE-2025-13828 Mautic user without privileged access to the Marketplace can install and uninstall composer packages

SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges...

CVE-2025-13828

Mautic platform; a flaw in the composer-based update/Marketplace flow allows a non-privileged user to install and remove arbitrary composer packages despite the enable-composer-based-update flag. Root cause: improper privilege management in the Marketplace integration enabling privilege escalatio...

CVE-2025-13828 Mautic user without privileged access to the Marketplace can install and uninstall composer packages

SummaryA non privileged user can install and remove arbitrary packages via composer for a composer based installed, even if the flag in update settings for enable composer based update is unticked. ImpactA low-privileged user of the platform can install malicious code to obtain higher privileges...

PT-2025-48724

Name of the Vulnerable Software and Affected Versions Mautic affected versions not specified Description A user with limited privileges can bypass restrictions related to Composer and install or remove packages. This can occur even if the platform's update settings have Composer-based updates...

EUVD-2023-44589

Malicious code in bioql PyPI...

CVE-2024-35241 vulnerabilities

Vulnerabilities for packages: composer...

GHSA-47F6-5GQ3-VX9C vulnerabilities

Vulnerabilities for packages: composer...

BIT-GITLAB-2023-3964 Incorrect Authorization in GitLab

An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disable...

Enumerate PHP Composer Packages (Linux / Unix)

Binary data phpcomposerenumnix.nbin...

GitLab 13.2 < 16.4.3 / 16.5 < 16.5.3 / 16.6 < 16.6.1 (CVE-2023-3964)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was...

GitLab 16.5 < 16.5.3 / 16.6 < 16.6.1 (CVE-2023-6396)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - Gitlab reports: XSS and ReDoS in Markdown via Banzai pipeline of Jira Members with admingroupmember custom permission can add members with higher role Release Description visible in public projects...

Design/Logic Flaw

An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disable...

CVE-2023-3964

CVE-2023-3964 affects GitLab versions 13.2–16.4.3, 16.5–16.5.3, and 16.6–16.6.1, allowing users to access composer packages in public projects with the package registry disabled in project settings. The vulnerability's impact is limited to access/reading; no other data manipulation indicated. Mit...

CVE-2023-3964

Removed by vendor...

CVE-2023-3964 Incorrect Authorization in GitLab

An issue has been discovered in GitLab affecting all versions starting from 13.2 before 16.4.3, all versions starting from 16.5 before 16.5.3, all versions starting from 16.6 before 16.6.1. It was possible for users to access composer packages on public projects that have package registry disable...