Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/composer/composer@1.10.0

Type composer

Namespace composer

Name composer

Version 1.10.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.10.28

Latest_non_vulnerable_version 2.10.0-RC1

Affected_by_vulnerabilities

url VCID-1sk6-xbn9-q7es

vulnerability_id VCID-1sk6-xbn9-q7es

summary composer: command injection via malicious Perforce repository definition

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40176.json

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40176.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-40176

reference_id

reference_type

scores

value	0.00023
scoring_system	epss
scoring_elements	0.06822
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-40176

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40176
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40176

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/composer/composer

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/composer/composer

reference_url

https://github.com/composer/composer/releases/tag/2.9.6

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T14:16:01Z/

url

https://github.com/composer/composer/releases/tag/2.9.6

reference_url

https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T14:16:01Z/

url

https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40176.yaml

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40176.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-40176

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-40176

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2458828
reference_id	2458828
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2458828

reference_url	https://github.com/advisories/GHSA-wg36-wvj6-r67p
reference_id	GHSA-wg36-wvj6-r67p
reference_type
scores
url	https://github.com/advisories/GHSA-wg36-wvj6-r67p

reference_url	https://access.redhat.com/errata/RHSA-2026:8165
reference_id	RHSA-2026:8165
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8165

fixed_packages

url	pkg:composer/composer/composer@2.2.27
purl	pkg:composer/composer/composer@2.2.27
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.27

url	pkg:composer/composer/composer@2.3.0-RC1
purl	pkg:composer/composer/composer@2.3.0-RC1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1

url	pkg:composer/composer/composer@2.9.6
purl	pkg:composer/composer/composer@2.9.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.9.6

url	pkg:composer/composer/composer@2.10.0-RC1
purl	pkg:composer/composer/composer@2.10.0-RC1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.10.0-RC1

aliases CVE-2026-40176, GHSA-wg36-wvj6-r67p

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1sk6-xbn9-q7es

url VCID-5ccv-kq34-9kf2

vulnerability_id VCID-5ccv-kq34-9kf2

summary arbitrary command execution

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-41116

reference_id

reference_type

scores

value	0.00969
scoring_system	epss
scoring_elements	0.76982
published_at	2026-06-05T12:55:00Z

value	0.00969
scoring_system	epss
scoring_elements	0.76949
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-41116

reference_url

https://github.com/composer/composer

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/composer/composer

reference_url

https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/composer/composer/commit/ca5e2f8d505fd3bfac6f7c85b82f2740becbc0aa

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2021-41116.yaml

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2021-41116.yaml

reference_url

https://www.sonarsource.com/blog/securing-developer-tools-package-managers

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.sonarsource.com/blog/securing-developer-tools-package-managers

reference_url

https://www.tenable.com/security/tns-2022-09

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.tenable.com/security/tns-2022-09

reference_url

https://security.archlinux.org/AVG-2446

reference_id

AVG-2446

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2446

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-41116

reference_id

CVE-2021-41116

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-41116

reference_url	https://github.com/advisories/GHSA-frqg-7g38-6gcf
reference_id	GHSA-frqg-7g38-6gcf
reference_type
scores
url	https://github.com/advisories/GHSA-frqg-7g38-6gcf

reference_url

https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf

reference_id

GHSA-frqg-7g38-6gcf

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf

fixed_packages

url pkg:composer/composer/composer@1.10.23

purl pkg:composer/composer/composer@1.10.23

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-8zzn-tauw-mydc

vulnerability	VCID-bfsn-ds7s-j3ha

vulnerability	VCID-q7kj-g74r-s7ec

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@1.10.23

url pkg:composer/composer/composer@2.0.0-RC1

purl pkg:composer/composer/composer@2.0.0-RC1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-q7kj-g74r-s7ec

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.0.0-RC1

url pkg:composer/composer/composer@2.1.9

purl pkg:composer/composer/composer@2.1.9

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-2pwj-7xfy-zkh3

vulnerability	VCID-52e4-4t6n-p3e9

vulnerability	VCID-8zzn-tauw-mydc

vulnerability	VCID-bfsn-ds7s-j3ha

vulnerability	VCID-hnah-ry8y-77d6

vulnerability	VCID-q7kj-g74r-s7ec

vulnerability	VCID-v9rg-9gpu-23h6

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.1.9

aliases CVE-2021-41116, GHSA-frqg-7g38-6gcf

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5ccv-kq34-9kf2

url VCID-8zzn-tauw-mydc

vulnerability_id VCID-8zzn-tauw-mydc

summary

Improper Input Validation
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-24828

reference_id

reference_type

scores

value	0.00167
scoring_system	epss
scoring_elements	0.3758
published_at	2026-06-05T12:55:00Z

value	0.00167
scoring_system	epss
scoring_elements	0.37487
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-24828

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24828
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24828

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/composer/composer

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/composer/composer

reference_url

https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2022-24828.yaml

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2022-24828.yaml

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG/

reference_url

https://www.tenable.com/security/tns-2022-09

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.tenable.com/security/tns-2022-09

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009960
reference_id	1009960
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009960

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-24828

reference_id

CVE-2022-24828

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-24828

reference_url

https://github.com/advisories/GHSA-x7cr-6qr6-2hh6

reference_id

GHSA-x7cr-6qr6-2hh6

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-x7cr-6qr6-2hh6

reference_url

https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6

reference_id

GHSA-x7cr-6qr6-2hh6

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6

reference_url	https://security.gentoo.org/glsa/202508-06
reference_id	GLSA-202508-06
reference_type
scores
url	https://security.gentoo.org/glsa/202508-06

reference_url	https://usn.ubuntu.com/7603-1/
reference_id	USN-7603-1
reference_type
scores
url	https://usn.ubuntu.com/7603-1/

fixed_packages

url pkg:composer/composer/composer@1.10.26

purl pkg:composer/composer/composer@1.10.26

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-bfsn-ds7s-j3ha

vulnerability	VCID-q7kj-g74r-s7ec

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@1.10.26

url pkg:composer/composer/composer@2.2.12

purl pkg:composer/composer/composer@2.2.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-2pwj-7xfy-zkh3

vulnerability	VCID-52e4-4t6n-p3e9

vulnerability	VCID-bfsn-ds7s-j3ha

vulnerability	VCID-hnah-ry8y-77d6

vulnerability	VCID-q7kj-g74r-s7ec

vulnerability	VCID-v9rg-9gpu-23h6

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.12

url pkg:composer/composer/composer@2.3.5

purl pkg:composer/composer/composer@2.3.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-2pwj-7xfy-zkh3

vulnerability	VCID-52e4-4t6n-p3e9

vulnerability	VCID-bfsn-ds7s-j3ha

vulnerability	VCID-hnah-ry8y-77d6

vulnerability	VCID-q7kj-g74r-s7ec

vulnerability	VCID-v9rg-9gpu-23h6

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.5

aliases CVE-2022-24828, GHSA-x7cr-6qr6-2hh6

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8zzn-tauw-mydc

url VCID-bfsn-ds7s-j3ha

vulnerability_id VCID-bfsn-ds7s-j3ha

summary

Composer Remote Code Execution vulnerability via web-accessible composer.phar
Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-43655

reference_id

reference_type

scores

value	0.01575
scoring_system	epss
scoring_elements	0.81917
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-43655

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43655
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43655

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/composer/composer

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/composer/composer

reference_url

https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/

url

https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d

reference_url

https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/

url

https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c

reference_url

https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/

url

https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c

reference_url

https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/

url

https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/

reference_id

66H2WKFUO255T3BZTL72TNYJYH2XM5FG

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/

reference_id

7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-43655

reference_id

CVE-2023-43655

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-43655

reference_url	https://github.com/advisories/GHSA-jm6m-4632-36hf
reference_id	GHSA-jm6m-4632-36hf
reference_type
scores
url	https://github.com/advisories/GHSA-jm6m-4632-36hf

reference_url

https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf

reference_id

GHSA-jm6m-4632-36hf

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/

url

https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf

reference_url	https://security.gentoo.org/glsa/202508-06
reference_id	GLSA-202508-06
reference_type
scores
url	https://security.gentoo.org/glsa/202508-06

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/

reference_id

KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2

reference_type

scores

value	6.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/

reference_url	https://usn.ubuntu.com/7603-1/
reference_id	USN-7603-1
reference_type
scores
url	https://usn.ubuntu.com/7603-1/

fixed_packages

url pkg:composer/composer/composer@1.10.27

purl pkg:composer/composer/composer@1.10.27

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-q7kj-g74r-s7ec

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@1.10.27

url pkg:composer/composer/composer@2.0.0-RC1

purl pkg:composer/composer/composer@2.0.0-RC1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-q7kj-g74r-s7ec

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.0.0-RC1

url pkg:composer/composer/composer@2.2.22

purl pkg:composer/composer/composer@2.2.22

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-2pwj-7xfy-zkh3

vulnerability	VCID-52e4-4t6n-p3e9

vulnerability	VCID-hnah-ry8y-77d6

vulnerability	VCID-q7kj-g74r-s7ec

vulnerability	VCID-v9rg-9gpu-23h6

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.22

url	pkg:composer/composer/composer@2.3.0-RC1
purl	pkg:composer/composer/composer@2.3.0-RC1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1

url pkg:composer/composer/composer@2.6.4

purl pkg:composer/composer/composer@2.6.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-2pwj-7xfy-zkh3

vulnerability	VCID-52e4-4t6n-p3e9

vulnerability	VCID-hnah-ry8y-77d6

vulnerability	VCID-q7kj-g74r-s7ec

vulnerability	VCID-v9rg-9gpu-23h6

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.6.4

aliases CVE-2023-43655, GHSA-jm6m-4632-36hf

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bfsn-ds7s-j3ha

url VCID-m72z-wq6e-6qg3

vulnerability_id VCID-m72z-wq6e-6qg3

summary

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly is limited as the composer.json file is typically under their own control and source download URLs can only be supplied by third party Composer repositories they explicitly trust to download and execute source code from, e.g. Composer plugins. The main impact is to services passing user input to Composer, including Packagist.org and Private Packagist. This allowed users to trigger remote code execution. The vulnerability has been patched on Packagist.org and Private Packagist within 12h of receiving the initial vulnerability report and based on a review of logs, to the best of our knowledge, was not abused by anyone. Other services/tools using VcsRepository/VcsDriver or derivatives may also be vulnerable and should upgrade their composer/composer dependency immediately. Versions 1.10.22 and 2.0.13 include patches for this issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-29472

reference_id

reference_type

scores

value	0.02585
scoring_system	epss
scoring_elements	0.85858
published_at	2026-06-04T12:55:00Z

value	0.02585
scoring_system	epss
scoring_elements	0.8588
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-29472

reference_url

https://blog.sonarsource.com/php-supply-chain-attack-on-composer

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://blog.sonarsource.com/php-supply-chain-attack-on-composer

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29472
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29472

reference_url

https://getcomposer.org

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://getcomposer.org

reference_url	https://getcomposer.org/
reference_id
reference_type
scores
url	https://getcomposer.org/

reference_url

https://github.com/composer/composer

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/composer/composer

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2021-29472.yaml

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2021-29472.yaml

reference_url

https://lists.debian.org/debian-lts-announce/2021/05/msg00009.html

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2021/05/msg00009.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FAQUAMGO4Q4BLNZ2OH4CXQD7UK4IO2GE

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FAQUAMGO4Q4BLNZ2OH4CXQD7UK4IO2GE

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FAQUAMGO4Q4BLNZ2OH4CXQD7UK4IO2GE/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FAQUAMGO4Q4BLNZ2OH4CXQD7UK4IO2GE/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KN3DMFH42BJW45VT6FYF2RXKC26D6VC2

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KN3DMFH42BJW45VT6FYF2RXKC26D6VC2

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KN3DMFH42BJW45VT6FYF2RXKC26D6VC2/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KN3DMFH42BJW45VT6FYF2RXKC26D6VC2/

reference_url

https://www.debian.org/security/2021/dsa-4907

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2021/dsa-4907

reference_url

https://security.archlinux.org/AVG-1885

reference_id

AVG-1885

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-1885

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-29472

reference_id

CVE-2021-29472

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-29472

reference_url	https://github.com/advisories/GHSA-h5h8-pc6h-jvvx
reference_id	GHSA-h5h8-pc6h-jvvx
reference_type
scores
url	https://github.com/advisories/GHSA-h5h8-pc6h-jvvx

reference_url

https://github.com/composer/composer/security/advisories/GHSA-h5h8-pc6h-jvvx

reference_id

GHSA-h5h8-pc6h-jvvx

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/composer/composer/security/advisories/GHSA-h5h8-pc6h-jvvx

reference_url	https://usn.ubuntu.com/USN-5220-1/
reference_id	USN-USN-5220-1
reference_type
scores
url	https://usn.ubuntu.com/USN-5220-1/

fixed_packages

url pkg:composer/composer/composer@1.10.22

purl pkg:composer/composer/composer@1.10.22

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-5ccv-kq34-9kf2

vulnerability	VCID-8zzn-tauw-mydc

vulnerability	VCID-bfsn-ds7s-j3ha

vulnerability	VCID-q7kj-g74r-s7ec

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@1.10.22

url pkg:composer/composer/composer@2.0.13

purl pkg:composer/composer/composer@2.0.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1sk6-xbn9-q7es

vulnerability	VCID-2pwj-7xfy-zkh3

vulnerability	VCID-52e4-4t6n-p3e9

vulnerability	VCID-5ccv-kq34-9kf2

vulnerability	VCID-8zzn-tauw-mydc

vulnerability	VCID-bfsn-ds7s-j3ha

vulnerability	VCID-hnah-ry8y-77d6

vulnerability	VCID-q7kj-g74r-s7ec

vulnerability	VCID-v9rg-9gpu-23h6

resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.0.13

aliases CVE-2021-29472, GHSA-h5h8-pc6h-jvvx

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m72z-wq6e-6qg3

url VCID-q7kj-g74r-s7ec

vulnerability_id VCID-q7kj-g74r-s7ec

summary composer: command injection via malicious Perforce source reference/url

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40261.json

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40261.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-40261

reference_id

reference_type

scores

value	0.0005
scoring_system	epss
scoring_elements	0.15931
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-40261

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40261
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40261

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/composer/composer

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/composer/composer

reference_url

https://github.com/composer/composer/releases/tag/2.9.6

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:41:03Z/

url

https://github.com/composer/composer/releases/tag/2.9.6

reference_url

https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:41:03Z/

url

https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40261.yaml

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40261.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-40261

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-40261

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2458841
reference_id	2458841
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2458841

reference_url	https://github.com/advisories/GHSA-gqw4-4w2p-838q
reference_id	GHSA-gqw4-4w2p-838q
reference_type
scores
url	https://github.com/advisories/GHSA-gqw4-4w2p-838q

reference_url	https://access.redhat.com/errata/RHSA-2026:8165
reference_id	RHSA-2026:8165
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2026:8165

fixed_packages

url	pkg:composer/composer/composer@2.2.27
purl	pkg:composer/composer/composer@2.2.27
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.27

url	pkg:composer/composer/composer@2.3.0-RC1
purl	pkg:composer/composer/composer@2.3.0-RC1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1

url	pkg:composer/composer/composer@2.9.6
purl	pkg:composer/composer/composer@2.9.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.9.6

url	pkg:composer/composer/composer@2.10.0-RC1
purl	pkg:composer/composer/composer@2.10.0-RC1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.10.0-RC1

aliases CVE-2026-40261, GHSA-gqw4-4w2p-838q

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q7kj-g74r-s7ec

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@1.10.0

Package Instance