81 matches found
CVE-2026-11914 Composer - Critical - Unsupported - SA-CONTRIB-2026-046
vulnerability in Drupal Composer allows . This issue affects Composer versions:...
CVE-2026-59948 Composer: Arbitrary file write outside vendor via malicious transitive package name
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project...
CVE-2026-59946
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...
CVE-2026-59946 Composer: Path traversal in package bin field lets dependencies chmod arbitrary host files
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...
CVE-2026-46765
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware component: Composer. Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter...
Amazon Linux 2023 : composer (ALAS2023-2026-1800)
It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1800 advisory. Github Actions issued GITHUBTOKEN disclosure in GitHub Actions logs CVE-2026-45793 Tenable has extracted the preceding description block directly from the tested product security advisory. Note that...
Astra Linux – Vulnerability in Composer
Composer is a dependency manager for PHP. Users who publish a composer.phar file to a publicly accessible web server where the file can be executed as a PHP file may be subject to a remote code execution vulnerability if PHP also has registerargcargv enabled in php.ini. Versions 2.6.4, 2.2.22, an...
Astra Linux – Vulnerability in Composer
Composer is a dependency manager for PHP. The URLs for Mercurial repositories in the composer.json file at the root level, as well as the source download URLs, are not sanified correctly. Specifically crafted URL values allow code to be executed via the HgDriver if hg/Mercurial is installed on th...
Unity Linux 20.1070a Security Update: osbuild-composer (UTSA-2026-016490)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016490 advisory. Within HostnameError.Error, when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is...
The vulnerability of the syncCodeBase() function in the Composer dependency management tool allows a hacker to inject arbitrary commands.
The vulnerability of the syncCodeBase function in the Composer dependency management tool is related to insufficient validation of input data. Exploiting this vulnerability allows a malicious actor to inject arbitrary commands through specially created source URLs or URLs...
BIT-COMPOSER-2026-40261 Composer has Command Injection via Malicious Perforce Reference
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the...
BIT-COMPOSER-2026-40176 Composer is vulnerable to Command Injection via Malicious Perforce Repository
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command method, which constructs shell commands by interpolating user-supplied Perforce connection parameters port, user, client without...
Exploit for CVE-2026-40176
!CAUTION THIS REPOSITORY CONTAINS PROOF-OF-CONCEPT CODE FO...
CVE-2026-40176
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command method, which constructs shell commands by interpolating user-supplied Perforce connection parameters port, user, client without...
CVE-2026-40261 Composer has Command Injection via Malicious Perforce Reference
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the...
CVE-2026-40261 Composer has Command Injection via Malicious Perforce Reference
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the...
CVE-2026-40176 Composer is vulnerable to Command Injection via Malicious Perforce Repository
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command method, which constructs shell commands by interpolating user-supplied Perforce connection parameters port, user, client without...
CVE-2026-40176 Composer is vulnerable to Command Injection via Malicious Perforce Repository
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command method, which constructs shell commands by interpolating user-supplied Perforce connection parameters port, user, client without...
CVE-2026-40176
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command method, which constructs shell commands by interpolating user-supplied Perforce connection parameters port, user, client without...
CVE-2026-40176
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command method, which constructs shell commands by interpolating user-supplied Perforce connection parameters port, user, client without...