VYPR
Vendor

Composer

Products
1
CVEs
13
Across products
13
Status
Private

Products

1

Recent CVEs

13
  • CVE-2026-40261HigApr 15, 2026
    risk 0.50cvss 8.8epss 0.02

    Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally…

  • CVE-2024-35242HigJun 10, 2024
    risk 0.50cvss 8.8epss 0.03

    Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories.…

  • CVE-2024-35241HigJun 10, 2024
    risk 0.50cvss 8.8epss 0.01

    Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.…

  • CVE-2026-40176HigApr 15, 2026
    risk 0.44cvss 7.8epss 0.01

    Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port,…

  • CVE-2025-67746Dec 30, 2025
    risk 0.00cvss epss 0.00

    Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing…

  • CVE-2024-24821Feb 8, 2024
    risk 0.00cvss epss 0.00

    Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may…

  • CVE-2023-43655Sep 29, 2023
    risk 0.00cvss epss 0.01

    Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini.…

  • CVE-2015-8371Sep 21, 2023
    risk 0.00cvss epss 0.01

    Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the…

  • CVE-2022-24828Apr 13, 2022
    risk 0.00cvss epss 0.02

    Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on…

  • CVE-2021-41116Oct 5, 2021
    risk 0.00cvss epss 0.03

    Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install untrusted dependencies are subject to command injection and should upgrade their composer version. Other OSs and WSL are not affected. The issue has…

  • CVE-2021-29472Apr 27, 2021
    risk 0.00cvss epss 0.05

    Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system.…

  • CVE-2020-35184Dec 17, 2020
    risk 0.00cvss epss 0.03

    The official composer docker images before 1.8.3 contain a blank password for a root user. System using the composer docker container deployed by affected versions of the docker image may allow a remote attacker to achieve root access with a blank password.

  • CVE-2020-15145Aug 14, 2020
    risk 0.00cvss epss 0.00

    In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\ProgramData\ComposerSetup\bin\composer.bat` in order…