9 matches found
CVE-2021-29472
Composer suffers from a vulnerability where Mercurial URLs in root composer.json and package source URLs are not sanitized, allowing remote code execution via HgDriver if hg/Mercurial is installed. The impact is described as higher for services passing user input (e.g., Packagist.org, Private Pac...
CVE-2023-43655
CVE-2023-43655 affects the PHP dependency manager Composer when a user publishes a web-accessible composer.phar that can be executed as PHP and PHP is configured with register_argc_argv enabled . Multiple connected advisories confirm the vulnerability exists in Composer and describe that versions...
CVE-2022-24828
The CVE-2022-24828 entry concerns Composer’s VcsDriver::getFileContent accepting user-controlled $file or $identifier. The root cause is input that can lead to parameter/command injection when interacting with Mercurial or Git drivers, impacting integrations like Packagist.org where readme conten...
CVE-2021-41116
CVE-2021-41116 affects the PHP package manager Composer . The vulnerability allows command injection on Windows when installing untrusted dependencies; other OSes and WSL are not affected. The issue has been fixed in Composer versions 1.10.23 and 2.1.9 ; there are no workarounds reported. This CV...
CVE-2024-24821
CVE-2024-24821 affects Composer (PHP dependency manager). In affected versions, local directory files can be included during invocation, enabling arbitrary code execution from the executing user context and potentially leading to local privilege escalation, lateral movement, or malicious code exe...
CVE-2015-8371
CVE-2015-8371 affects Composer before 2016-02-10, allowing cache poisoning where attacker-controlled data can enter a server‑side build. The root cause is how dist packages are cached: the cache key is derived from the package name, dist type, and repository data (often a commit hash), which can ...
CVE-2026-40176
CVE-2026-40176 affects Composer (PHP dependency manager). The vulnerability lies in Perforce integration: Perforce::generateP4Command() constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping, enabling command injection....
CVE-2025-67746
Composer 2.x is vulnerable to ANSI sequence injection in terminal output when downloading from remote sources. Affected: 2.2.x before 2.2.26 and 2.9.x before 2.9.3. Root cause: remote sources can inject ANSI control characters into command output, potentially causing mangled output and terminal D...
CVE-2026-40261
CVE-2026-40261 affects the PHP package manager Composer. Affected are Composer versions 1.0–2.2.26 and 2.3–2.9.5, where Perforce::syncCodeBase() and Perforce::generateP4Command() construct shell commands by unsafe interpolation of input (sourceReference, source URL) into commands. This enables co...