Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/528129?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/528129?format=api", "purl": "pkg:composer/composer/composer@2.2.0", "type": "composer", "namespace": "composer", "name": "composer", "version": "2.2.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.2.27", "latest_non_vulnerable_version": "2.9.8", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21947?format=api", "vulnerability_id": "VCID-1cgx-psut-e3hh", "summary": "Composer is vulnerable to ANSI sequence injection\nAttackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application.\n\nThere is no proven exploit and this has thus a low severity but Composer still published a CVE as it has potential for abuse, and Composer wants to be on the safe side informing users that they should upgrade.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-67746.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-67746.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-67746", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05166", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-67746" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/composer/composer", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/composer/composer" }, { "reference_url": "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-30T17:17:14Z/" } ], "url": "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917" }, { "reference_url": "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-30T17:17:14Z/" } ], "url": "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71" }, { "reference_url": "https://github.com/composer/composer/releases/tag/2.2.26", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-30T17:17:14Z/" } ], "url": "https://github.com/composer/composer/releases/tag/2.2.26" }, { "reference_url": "https://github.com/composer/composer/releases/tag/2.9.3", "reference_id": "", "reference_type": "", "scores": [ { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-30T17:17:14Z/" } ], "url": "https://github.com/composer/composer/releases/tag/2.9.3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426283", "reference_id": "2426283", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426283" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67746", "reference_id": "CVE-2025-67746", "reference_type": "", "scores": [ { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67746" }, { "reference_url": "https://github.com/advisories/GHSA-59pp-r3rg-353g", "reference_id": "GHSA-59pp-r3rg-353g", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-59pp-r3rg-353g" }, { "reference_url": "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g", "reference_id": "GHSA-59pp-r3rg-353g", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "1.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-30T17:17:14Z/" } ], "url": "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:8165", "reference_id": "RHSA-2026:8165", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:8165" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71932?format=api", "purl": "pkg:composer/composer/composer@2.2.26", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-kpnb-b563-1yft" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.26" }, { "url": "http://public2.vulnerablecode.io/api/packages/630163?format=api", "purl": "pkg:composer/composer/composer@2.3.0-RC1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/71933?format=api", "purl": "pkg:composer/composer/composer@2.9.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-kpnb-b563-1yft" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.9.3" } ], "aliases": [ "CVE-2025-67746", "GHSA-59pp-r3rg-353g" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1cgx-psut-e3hh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19393?format=api", "vulnerability_id": "VCID-4pb1-p6st-4kg4", "summary": "Inclusion of Functionality from Untrusted Control Sphere\nComposer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh\nrm vendor/composer/installed.php vendor/composer/InstalledVersions.php\ncomposer install --no-scripts --no-plugins\n```", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24821", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00132", "scoring_system": "epss", "scoring_elements": "0.32423", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24821" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/composer/composer", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/composer/composer" }, { "reference_url": "https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-11T18:11:46Z/" } ], "url": "https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5" }, { "reference_url": "https://github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063603", "reference_id": "1063603", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063603" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24821", "reference_id": "CVE-2024-24821", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24821" }, { "reference_url": "https://github.com/advisories/GHSA-7c6p-848j-wh5h", "reference_id": "GHSA-7c6p-848j-wh5h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7c6p-848j-wh5h" }, { "reference_url": "https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h", "reference_id": "GHSA-7c6p-848j-wh5h", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-11T18:11:46Z/" } ], "url": "https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h" }, { "reference_url": "https://usn.ubuntu.com/7603-1/", "reference_id": "USN-7603-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7603-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/67636?format=api", "purl": "pkg:composer/composer/composer@2.2.23", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cgx-psut-e3hh" }, { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-kpnb-b563-1yft" }, { "vulnerability": "VCID-vy1p-sn17-uybt" }, { "vulnerability": "VCID-ww6j-dye5-7uac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.23" }, { "url": "http://public2.vulnerablecode.io/api/packages/630163?format=api", "purl": "pkg:composer/composer/composer@2.3.0-RC1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/67637?format=api", "purl": "pkg:composer/composer/composer@2.7.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cgx-psut-e3hh" }, { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-kpnb-b563-1yft" }, { "vulnerability": "VCID-vy1p-sn17-uybt" }, { "vulnerability": "VCID-ww6j-dye5-7uac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.7.0" } ], "aliases": [ "CVE-2024-24821", "GHSA-7c6p-848j-wh5h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4pb1-p6st-4kg4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/331905?format=api", "vulnerability_id": "VCID-8pap-8xmr-m3ha", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40176.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40176.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40176", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06958", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40176" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/composer/composer", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/composer/composer" }, { "reference_url": "https://github.com/composer/composer/releases/tag/2.9.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T14:16:01Z/" } ], "url": "https://github.com/composer/composer/releases/tag/2.9.6" }, { "reference_url": "https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T14:16:01Z/" } ], "url": "https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40176.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40176.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40176", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40176" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458828", "reference_id": "2458828", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458828" }, { "reference_url": "https://github.com/advisories/GHSA-wg36-wvj6-r67p", "reference_id": "GHSA-wg36-wvj6-r67p", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wg36-wvj6-r67p" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:8165", "reference_id": "RHSA-2026:8165", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:8165" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/975793?format=api", "purl": "pkg:composer/composer/composer@2.10.0-RC1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.10.0-RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/189342?format=api", "purl": "pkg:composer/composer/composer@2.2.27", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.27" }, { "url": "http://public2.vulnerablecode.io/api/packages/630163?format=api", "purl": "pkg:composer/composer/composer@2.3.0-RC1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/189341?format=api", "purl": "pkg:composer/composer/composer@2.9.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.9.6" } ], "aliases": [ "CVE-2026-40176", "GHSA-wg36-wvj6-r67p" ], "risk_score": 3.5, "exploitability": "0.5", "weighted_severity": "7.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8pap-8xmr-m3ha" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/18535?format=api", "vulnerability_id": "VCID-fzya-vz4m-5yhu", "summary": "Composer Remote Code Execution vulnerability via web-accessible composer.phar\nUsers publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43655", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01575", "scoring_system": "epss", "scoring_elements": "0.81859", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-43655" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/composer/composer", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/composer/composer" }, { "reference_url": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/" } ], "url": "https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d" }, { "reference_url": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/" } ], "url": "https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c" }, { "reference_url": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/" } ], "url": "https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/", "reference_id": "66H2WKFUO255T3BZTL72TNYJYH2XM5FG", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/", "reference_id": "7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43655", "reference_id": "CVE-2023-43655", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43655" }, { "reference_url": "https://github.com/advisories/GHSA-jm6m-4632-36hf", "reference_id": "GHSA-jm6m-4632-36hf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jm6m-4632-36hf" }, { "reference_url": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf", "reference_id": "GHSA-jm6m-4632-36hf", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/" } ], "url": "https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf" }, { "reference_url": "https://security.gentoo.org/glsa/202508-06", "reference_id": "GLSA-202508-06", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202508-06" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/", "reference_id": "KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/" }, { "reference_url": "https://usn.ubuntu.com/7603-1/", "reference_id": "USN-7603-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7603-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/65969?format=api", "purl": "pkg:composer/composer/composer@2.2.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cgx-psut-e3hh" }, { "vulnerability": "VCID-4pb1-p6st-4kg4" }, { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-kpnb-b563-1yft" }, { "vulnerability": "VCID-vy1p-sn17-uybt" }, { "vulnerability": "VCID-ww6j-dye5-7uac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/630163?format=api", "purl": "pkg:composer/composer/composer@2.3.0-RC1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/65970?format=api", "purl": "pkg:composer/composer/composer@2.6.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cgx-psut-e3hh" }, { "vulnerability": "VCID-4pb1-p6st-4kg4" }, { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-kpnb-b563-1yft" }, { "vulnerability": "VCID-vy1p-sn17-uybt" }, { "vulnerability": "VCID-ww6j-dye5-7uac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.6.4" } ], "aliases": [ "CVE-2023-43655", "GHSA-jm6m-4632-36hf" ], "risk_score": null, "exploitability": "0.5", "weighted_severity": "0.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fzya-vz4m-5yhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/331959?format=api", "vulnerability_id": "VCID-kpnb-b563-1yft", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40261.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40261.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40261", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0005", "scoring_system": "epss", "scoring_elements": "0.15878", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-40261" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/composer/composer", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/composer/composer" }, { "reference_url": "https://github.com/composer/composer/releases/tag/2.9.6", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:41:03Z/" } ], "url": "https://github.com/composer/composer/releases/tag/2.9.6" }, { "reference_url": "https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:41:03Z/" } ], "url": "https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40261.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40261.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40261", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40261" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458841", "reference_id": "2458841", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458841" }, { "reference_url": "https://github.com/advisories/GHSA-gqw4-4w2p-838q", "reference_id": "GHSA-gqw4-4w2p-838q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-gqw4-4w2p-838q" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:8165", "reference_id": "RHSA-2026:8165", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:8165" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/975793?format=api", "purl": "pkg:composer/composer/composer@2.10.0-RC1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.10.0-RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/189342?format=api", "purl": "pkg:composer/composer/composer@2.2.27", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.27" }, { "url": "http://public2.vulnerablecode.io/api/packages/630163?format=api", "purl": "pkg:composer/composer/composer@2.3.0-RC1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/189341?format=api", "purl": "pkg:composer/composer/composer@2.9.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.9.6" } ], "aliases": [ "CVE-2026-40261", "GHSA-gqw4-4w2p-838q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "7.9", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kpnb-b563-1yft" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256371?format=api", "vulnerability_id": "VCID-vy1p-sn17-uybt", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35241", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00442", "scoring_system": "epss", "scoring_elements": "0.63573", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35241" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/composer/composer", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/composer/composer" }, { "reference_url": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:42:58Z/" } ], "url": "https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4" }, { "reference_url": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:42:58Z/" } ], "url": "https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073125", "reference_id": "1073125", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073125" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35241", "reference_id": "CVE-2024-35241", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35241" }, { "reference_url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability", "reference_id": "CVE-2024-35241-DETECT-COMPOSER-VULNERABILITY", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability" }, { "reference_url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer", "reference_id": "CVE-2024-35241-MITIGATE-VULNERABLE-COMPOSER", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer" }, { "reference_url": "https://github.com/advisories/GHSA-47f6-5gq3-vx9c", "reference_id": "GHSA-47f6-5gq3-vx9c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-47f6-5gq3-vx9c" }, { "reference_url": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c", "reference_id": "GHSA-47f6-5gq3-vx9c", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:42:58Z/" } ], "url": "https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/", "reference_id": "PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:42:58Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/" }, { "reference_url": "https://usn.ubuntu.com/7603-1/", "reference_id": "USN-7603-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7603-1/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/", "reference_id": "VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:42:58Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81713?format=api", "purl": "pkg:composer/composer/composer@2.2.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cgx-psut-e3hh" }, { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-kpnb-b563-1yft" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.24" }, { "url": "http://public2.vulnerablecode.io/api/packages/630163?format=api", "purl": "pkg:composer/composer/composer@2.3.0-RC1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/81714?format=api", "purl": "pkg:composer/composer/composer@2.7.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cgx-psut-e3hh" }, { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-kpnb-b563-1yft" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.7.7" } ], "aliases": [ "CVE-2024-35241", "GHSA-47f6-5gq3-vx9c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vy1p-sn17-uybt" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/256372?format=api", "vulnerability_id": "VCID-ww6j-dye5-7uac", "summary": "", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35242", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.23787", "scoring_system": "epss", "scoring_elements": "0.96104", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-35242" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/composer/composer", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/composer/composer" }, { "reference_url": "https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:44:05Z/" } ], "url": "https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396" }, { "reference_url": "https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:44:05Z/" } ], "url": "https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073126", "reference_id": "1073126", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073126" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35242", "reference_id": "CVE-2024-35242", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-35242" }, { "reference_url": "https://github.com/advisories/GHSA-v9qv-c7wm-wgmf", "reference_id": "GHSA-v9qv-c7wm-wgmf", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v9qv-c7wm-wgmf" }, { "reference_url": "https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf", "reference_id": "GHSA-v9qv-c7wm-wgmf", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:44:05Z/" } ], "url": "https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/", "reference_id": "PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:44:05Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/" }, { "reference_url": "https://usn.ubuntu.com/7603-1/", "reference_id": "USN-7603-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7603-1/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/", "reference_id": "VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:44:05Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81713?format=api", "purl": "pkg:composer/composer/composer@2.2.24", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cgx-psut-e3hh" }, { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-kpnb-b563-1yft" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.24" }, { "url": "http://public2.vulnerablecode.io/api/packages/630163?format=api", "purl": "pkg:composer/composer/composer@2.3.0-RC1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/81714?format=api", "purl": "pkg:composer/composer/composer@2.7.7", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cgx-psut-e3hh" }, { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-kpnb-b563-1yft" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.7.7" } ], "aliases": [ "CVE-2024-35242", "GHSA-v9qv-c7wm-wgmf" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ww6j-dye5-7uac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15594?format=api", "vulnerability_id": "VCID-xjjm-qjy8-aken", "summary": "Improper Input Validation\nComposer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24828", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00211", "scoring_system": "epss", "scoring_elements": "0.43579", "published_at": "2026-05-30T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-24828" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/composer/composer", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/composer/composer" }, { "reference_url": "https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF/" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG/", "reference_id": "", "reference_type": "", "scores": [], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG/" }, { "reference_url": "https://www.tenable.com/security/tns-2022-09", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.tenable.com/security/tns-2022-09" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009960", "reference_id": "1009960", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009960" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24828", "reference_id": "CVE-2022-24828", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24828" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2022-24828.yaml", "reference_id": "CVE-2022-24828.YAML", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2022-24828.yaml" }, { "reference_url": "https://github.com/advisories/GHSA-x7cr-6qr6-2hh6", "reference_id": "GHSA-x7cr-6qr6-2hh6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x7cr-6qr6-2hh6" }, { "reference_url": "https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6", "reference_id": "GHSA-x7cr-6qr6-2hh6", "reference_type": "", "scores": [ { "value": "8.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6" }, { "reference_url": "https://security.gentoo.org/glsa/202508-06", "reference_id": "GLSA-202508-06", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202508-06" }, { "reference_url": "https://usn.ubuntu.com/7603-1/", "reference_id": "USN-7603-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7603-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/60479?format=api", "purl": "pkg:composer/composer/composer@2.2.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cgx-psut-e3hh" }, { "vulnerability": "VCID-4pb1-p6st-4kg4" }, { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-fzya-vz4m-5yhu" }, { "vulnerability": "VCID-kpnb-b563-1yft" }, { "vulnerability": "VCID-vy1p-sn17-uybt" }, { "vulnerability": "VCID-ww6j-dye5-7uac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/60480?format=api", "purl": "pkg:composer/composer/composer@2.3.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1cgx-psut-e3hh" }, { "vulnerability": "VCID-4pb1-p6st-4kg4" }, { "vulnerability": "VCID-8pap-8xmr-m3ha" }, { "vulnerability": "VCID-fzya-vz4m-5yhu" }, { "vulnerability": "VCID-kpnb-b563-1yft" }, { "vulnerability": "VCID-vy1p-sn17-uybt" }, { "vulnerability": "VCID-ww6j-dye5-7uac" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.5" } ], "aliases": [ "CVE-2022-24828", "GHSA-x7cr-6qr6-2hh6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xjjm-qjy8-aken" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.0" }