CVE-2026-40176 Composer is vulnerable to Command Injection via Malicious Perforce Repository

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command method, which constructs shell commands by interpolating user-supplied Perforce connection parameters port, user, client without...

CVE-2026-40176

CVE-2026-40176 affects Composer (PHP dependency manager). The vulnerability lies in Perforce integration: Perforce::generateP4Command() constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping, enabling command injection....

Linux Distros Unpatched Vulnerability : CVE-2026-40176

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the...

GHSA-WG36-WVJ6-R67P Composer has a command injection via malicious perforce repository

Impact The Perforce::generateP4Command method constructed shell commands by interpolating user-supplied Perforce connection parameters port, user, client without proper escaping. An attacker controlling a repository configuration in a malicious composer.json declaring a Perforce VCS repository...

Drupal Synchronize composer.json With Contrib Modules module * - Authenticated Other Vulnerability Type vulnerability

Authenticated Other Vulnerability Type vulnerability discovered by Drupal Security Site in WordPress Module Synchronize composer.json With Contrib Modules versions...

File Upload Filter Bypass

Description A sanitization filter bypass in plupload.php in MicroweberCMS v1.3.1 allows remote authenticated attackers to upload files outside the restricted location. The target $path for the image is being sanitized here: php $pathrestirct = userfilespath; if isset$REQUEST'path' and...

Cross-site Scripting (XSS)

microweber/microweber is vulnerable to cross-site scripting. The vulnerability exists due to the vulnerable microweber-templates/bootstrap5, microweber-templates/new-world and microweber-templates/shopmag dependencies used in composer.json, allowing an attacker to inject and execute malicious...

Cross-Site Scripting (XSS)

typo3/cms and typo3/html-sanitizer are vulnerable to cross-site scripting. The vulnerability exists due to the vulnerable typo3/html-sanitize dependency used in composer.json, which does not properly sanitize sequences with special HTML comments, allowing an attacker to inject and execute malicio...

Cross-site Scripting (XSS)

typo3/html-sanitizer is vulnerable to cross-site scripting. The vulnerability exists due to the vulnerable masterminds/html5 dependency used in composer.json, which does not properly sanitize the comment end bang state in the isCommentEnd function of Tokenizer.php, allowing an attacker to inject...

USN-5220-1 composer vulnerability

It was discovered that Composer did not properly sanitize URLs for Mercurial repositories in the root composer.json and package source download URLs. A remote attacker could possibly use this issue to execute arbitrary code...

Missing input validation can lead to command execution in composer

The Composer method VcsDriver::getFileContent with user-controlled $file or $identifier arguments is susceptible to an argument injection vulnerability. It can be leveraged to gain arbitrary command execution if the Mercurial or the Git driver are used. This led to a vulnerability on Packagist.or...

Server-Side Request Forgery (SSRF)

rudloff/alltube is vulnerable to server-side request forgery. The vulnerability exists in omposer.json due to missing dependencies which allows an attacker to pass internal host names in the URL parameter and obtain information...

Mageia: Security Advisory (MGASA-2017-0429)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Cross-site Scripting (XSS) - Stored in harish81/digidocu

✍️ Description DigiDocu is a CMS written in PHP using Laravel Framework. Laravel uses Blade templating engine which sanitizes the HTML by default. But DigiDocu is trying to render some HTML content without validating the input that comes from the user's profile ie. users can write some HTML using...

CVE-2020-15080

In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure composer.json and docker-compose.yml are not accessible on your server...

CVE-2020-15080 Information disclosure in release archive in PrestaShop

In PrestaShop from version 1.7.4.0 and before version 1.7.6.6, some files should not be in the release archive, and others should not be accessible. The problem is fixed in version 1.7.6.6 A possible workaround is to make sure composer.json and docker-compose.yml are not accessible on your server...

flightsclaim.co.uk XSS vulnerability

Open Bug Bounty ID: OBB-654787 Description| Value ---|--- Affected Website:| flightsclaim.co.uk Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| XSS Cross Site Scripting / CWE-79 CVSSv3 Score:| 6.1...

oneluxstudio.com Improper Access Control vulnerability

Open Bug Bounty ID: OBB-578863 Description| Value ---|--- Affected Website:| oneluxstudio.com Open Bug Bounty Program:| Create your bounty program now. It's open and free. Vulnerable Application:| Custom Code Vulnerability Type:| IAC Improper Access Control / CWE-284 CVSSv3 Score:| 6.5...

FreeBSD : mediawiki -- multiple vulnerabilities (298829e2-ccce-11e7-92e4-000c29649f92)

mediawiki reports : security fixes : T128209: Reflected File Download from api.php. Reported by Abdullah Hussam. T165846: BotPasswords doesn't throttle login attempts. T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password. T178451:...

Monolog version used has vulnerabilities

The default composer.json file installs Monolog v1.5, which contains known vulnerabilities. Monolog will be upgraded to v1.18 in the next release. You can do this yourself now by manually changing your composer.json, and run "composer update"...