Lucene search
K
GetcomposerComposer

9 matches found

CVE
CVE
added 2021/04/27 8:30 p.m.297 views

CVE-2021-29472

Composer suffers from a vulnerability where Mercurial URLs in root composer.json and package source URLs are not sanitized, allowing remote code execution via HgDriver if hg/Mercurial is installed. The impact is described as higher for services passing user input (e.g., Packagist.org, Private Pac...

8.8CVSS9AI score0.04849EPSS
CVE
CVE
added 2023/09/29 7:33 p.m.186 views

CVE-2023-43655

CVE-2023-43655 affects the PHP dependency manager Composer when a user publishes a web-accessible composer.phar that can be executed as PHP and PHP is configured with register_argc_argv enabled . Multiple connected advisories confirm the vulnerability exists in Composer and describe that versions...

8.8CVSS7.8AI score0.01378EPSS
CVE
CVE
added 2022/04/13 9:0 p.m.179 views

CVE-2022-24828

The CVE-2022-24828 entry concerns Composer’s VcsDriver::getFileContent accepting user-controlled $file or $identifier. The root cause is input that can lead to parameter/command injection when interacting with Mercurial or Git drivers, impacting integrations like Packagist.org where readme conten...

8.8CVSS8.7AI score0.01841EPSS
CVE
CVE
added 2021/10/05 5:40 p.m.137 views

CVE-2021-41116

CVE-2021-41116 affects the PHP package manager Composer . The vulnerability allows command injection on Windows when installing untrusted dependencies; other OSes and WSL are not affected. The issue has been fixed in Composer versions 1.10.23 and 2.1.9 ; there are no workarounds reported. This CV...

9.8CVSS9.2AI score0.02904EPSS
CVE
CVE
added 2024/02/08 11:54 p.m.114 views

CVE-2024-24821

CVE-2024-24821 affects Composer (PHP dependency manager). In affected versions, local directory files can be included during invocation, enabling arbitrary code execution from the executing user context and potentially leading to local privilege escalation, lateral movement, or malicious code exe...

8.8CVSS7.8AI score0.00273EPSS
CVE
CVE
added 2023/09/21 12:0 a.m.54 views

CVE-2015-8371

CVE-2015-8371 affects Composer before 2016-02-10, allowing cache poisoning where attacker-controlled data can enter a server‑side build. The root cause is how dist packages are cached: the cache key is derived from the package name, dist type, and repository data (often a commit hash), which can ...

8.8CVSS8.6AI score0.00697EPSS
CVE
CVE
added 2026/04/15 8:47 p.m.25 views

CVE-2026-40176

CVE-2026-40176 affects Composer (PHP dependency manager). The vulnerability lies in Perforce integration: Perforce::generateP4Command() constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping, enabling command injection....

7.8CVSS6.3AI score0.01065EPSS
CVE
CVE
added 2025/12/30 4:11 p.m.22 views

CVE-2025-67746

Composer 2.x is vulnerable to ANSI sequence injection in terminal output when downloading from remote sources. Affected: 2.2.x before 2.2.26 and 2.9.x before 2.9.3. Root cause: remote sources can inject ANSI control characters into command output, potentially causing mangled output and terminal D...

5.3CVSS6.3AI score0.00405EPSS
CVE
CVE
added 2026/04/15 8:56 p.m.16 views

CVE-2026-40261

CVE-2026-40261 affects the PHP package manager Composer. Affected are Composer versions 1.0–2.2.26 and 2.3–2.9.5, where Perforce::syncCodeBase() and Perforce::generateP4Command() construct shell commands by unsafe interpolation of input (sourceReference, source URL) into commands. This enables co...

8.8CVSS6.2AI score0.01688EPSS