Composer
by Composer
Source repositories
CVEs (13)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-40261 | Hig | 0.50 | 8.8 | 0.02 | Apr 15, 2026 | Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally… | ||
| CVE-2024-35242 | Hig | 0.50 | 8.8 | 0.03 | Jun 10, 2024 | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories.… | ||
| CVE-2024-35241 | Hig | 0.50 | 8.8 | 0.01 | Jun 10, 2024 | Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.… | ||
| CVE-2026-40176 | Hig | 0.44 | 7.8 | 0.01 | Apr 15, 2026 | Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port,… | ||
| CVE-2025-67746 | 0.00 | — | 0.00 | Dec 30, 2025 | Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing… | |||
| CVE-2024-24821 | 0.00 | — | 0.00 | Feb 8, 2024 | Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may… | |||
| CVE-2023-43655 | 0.00 | — | 0.01 | Sep 29, 2023 | Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini.… | |||
| CVE-2015-8371 | 0.00 | — | 0.01 | Sep 21, 2023 | Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the… | |||
| CVE-2022-24828 | 0.00 | — | 0.02 | Apr 13, 2022 | Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on… | |||
| CVE-2021-41116 | 0.00 | — | 0.03 | Oct 5, 2021 | Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has… | |||
| CVE-2021-29472 | 0.00 | — | 0.05 | Apr 27, 2021 | Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system.… | |||
| CVE-2020-35184 | 0.00 | — | 0.03 | Dec 17, 2020 | The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password. | |||
| CVE-2020-15145 | 0.00 | — | 0.00 | Aug 14, 2020 | In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\ProgramData\ComposerSetup\bin\composer.bat` in order… |
- risk 0.50cvss 8.8epss 0.02
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally…
- risk 0.50cvss 8.8epss 0.03
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories.…
- risk 0.50cvss 8.8epss 0.01
Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.…
- risk 0.44cvss 7.8epss 0.01
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port,…
- CVE-2025-67746Dec 30, 2025risk 0.00cvss —epss 0.00
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing…
- CVE-2024-24821Feb 8, 2024risk 0.00cvss —epss 0.00
Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may…
- CVE-2023-43655Sep 29, 2023risk 0.00cvss —epss 0.01
Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini.…
- CVE-2015-8371Sep 21, 2023risk 0.00cvss —epss 0.01
Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the…
- CVE-2022-24828Apr 13, 2022risk 0.00cvss —epss 0.02
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on…
- CVE-2021-41116Oct 5, 2021risk 0.00cvss —epss 0.03
Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has…
- CVE-2021-29472Apr 27, 2021risk 0.00cvss —epss 0.05
Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system.…
- CVE-2020-35184Dec 17, 2020risk 0.00cvss —epss 0.03
The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.
- CVE-2020-15145Aug 14, 2020risk 0.00cvss —epss 0.00
In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\ProgramData\ComposerSetup\bin\composer.bat` in order…