VYPR

Bitnami package

composer

pkg:bitnami/composer

Vulnerabilities (10)

  • CVE-2026-40261HigApr 15, 2026
    affected >= 1.0.0, < 2.2.27fixed 2.2.27

    Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally

  • CVE-2026-40176HigApr 15, 2026
    affected >= 1.0.0, < 2.2.27fixed 2.2.27

    Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port,

  • CVE-2025-67746Dec 30, 2025
    affected >= 2.0.0, < 2.2.26fixed 2.2.26

    Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangl

  • CVE-2024-35242HigJun 10, 2024
    affected >= 2.0.0, < 2.2.24fixed 2.2.24

    Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories.

  • CVE-2024-35241HigJun 10, 2024
    affected >= 2.0.0, < 2.2.24fixed 2.2.24

    Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Pat

  • CVE-2024-24821Feb 8, 2024
    affected >= 2.0.0, < 2.2.23fixed 2.2.23

    Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lea

  • CVE-2023-43655Sep 29, 2023
    affected < 1.10.27fixed 1.10.27

    Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Vers

  • CVE-2022-24828Apr 13, 2022
    affected < 1.10.26fixed 1.10.26

    Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist

  • CVE-2021-41116Oct 5, 2021
    affected < 1.10.23fixed 1.10.23

    Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has

  • CVE-2021-29472Apr 27, 2021
    affected < 1.10.22fixed 1.10.22

    Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system.