rpm package
opensuse/php-composer2&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/php-composer2&distro=openSUSE%20Tumbleweed
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-40261 | Hig | 8.8 | < 2.9.7-1.1 | 2.9.7-1.1 | Apr 15, 2026 | Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally | |
| CVE-2026-40176 | Hig | 7.8 | < 2.9.7-1.1 | 2.9.7-1.1 | Apr 15, 2026 | Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, | |
| CVE-2025-67746 | — | < 2.9.3-1.1 | 2.9.3-1.1 | Dec 30, 2025 | Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangl | ||
| CVE-2024-35242 | Hig | 8.8 | < 2.7.7-1.1 | 2.7.7-1.1 | Jun 10, 2024 | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. | |
| CVE-2024-35241 | Hig | 8.8 | < 2.7.7-1.1 | 2.7.7-1.1 | Jun 10, 2024 | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Pat | |
| CVE-2024-24821 | — | < 2.7.1-1.1 | 2.7.1-1.1 | Feb 8, 2024 | Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lea | ||
| CVE-2023-43655 | — | < 2.6.4-1.1 | 2.6.4-1.1 | Sep 29, 2023 | Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Vers | ||
| CVE-2022-24828 | — | < 2.3.5-1.1 | 2.3.5-1.1 | Apr 13, 2022 | Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist | ||
| CVE-2021-41116 | — | < 2.1.12-1.1 | 2.1.12-1.1 | Oct 5, 2021 | Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has |
- affected < 2.9.7-1.1fixed 2.9.7-1.1
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally
- affected < 2.9.7-1.1fixed 2.9.7-1.1
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port,
- CVE-2025-67746Dec 30, 2025affected < 2.9.3-1.1fixed 2.9.3-1.1
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangl
- affected < 2.7.7-1.1fixed 2.7.7-1.1
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories.
- affected < 2.7.7-1.1fixed 2.7.7-1.1
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Pat
- CVE-2024-24821Feb 8, 2024affected < 2.7.1-1.1fixed 2.7.1-1.1
Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lea
- CVE-2023-43655Sep 29, 2023affected < 2.6.4-1.1fixed 2.6.4-1.1
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Vers
- CVE-2022-24828Apr 13, 2022affected < 2.3.5-1.1fixed 2.3.5-1.1
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist
- CVE-2021-41116Oct 5, 2021affected < 2.1.12-1.1fixed 2.1.12-1.1
Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has