VYPR

apk package

chainguard/composer

pkg:apk/chainguard/composer

Vulnerabilities (4)

  • CVE-2026-40261HigApr 15, 2026
    affected < 2.9.7-r0fixed 2.9.7-r0

    Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally

  • CVE-2026-40176HigApr 15, 2026
    affected < 2.9.7-r0fixed 2.9.7-r0

    Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port,

  • CVE-2024-35242HigJun 10, 2024
    affected < 2.7.7-r0fixed 2.7.7-r0

    Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories.

  • CVE-2024-35241HigJun 10, 2024
    affected < 2.7.7-r0fixed 2.7.7-r0

    Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Pat