Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/composer/composer@2.2.0-RC1
Typecomposer
Namespacecomposer
Namecomposer
Version2.2.0-RC1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.2.27
Latest_non_vulnerable_version2.10.0-RC1
Affected_by_vulnerabilities
0
url VCID-1sk6-xbn9-q7es
vulnerability_id VCID-1sk6-xbn9-q7es
summary composer: command injection via malicious Perforce repository definition
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40176.json
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40176.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40176
reference_id
reference_type
scores
0
value 0.00023
scoring_system epss
scoring_elements 0.06822
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40176
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40176
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40176
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/composer/composer
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/composer/composer
5
reference_url https://github.com/composer/composer/releases/tag/2.9.6
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T14:16:01Z/
url https://github.com/composer/composer/releases/tag/2.9.6
6
reference_url https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T14:16:01Z/
url https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p
7
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40176.yaml
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40176.yaml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40176
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40176
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2458828
reference_id 2458828
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2458828
10
reference_url https://github.com/advisories/GHSA-wg36-wvj6-r67p
reference_id GHSA-wg36-wvj6-r67p
reference_type
scores
url https://github.com/advisories/GHSA-wg36-wvj6-r67p
11
reference_url https://access.redhat.com/errata/RHSA-2026:8165
reference_id RHSA-2026:8165
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8165
fixed_packages
0
url pkg:composer/composer/composer@2.2.27
purl pkg:composer/composer/composer@2.2.27
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.27
1
url pkg:composer/composer/composer@2.3.0-RC1
purl pkg:composer/composer/composer@2.3.0-RC1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1
2
url pkg:composer/composer/composer@2.9.6
purl pkg:composer/composer/composer@2.9.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.9.6
3
url pkg:composer/composer/composer@2.10.0-RC1
purl pkg:composer/composer/composer@2.10.0-RC1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.10.0-RC1
aliases CVE-2026-40176, GHSA-wg36-wvj6-r67p
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1sk6-xbn9-q7es
1
url VCID-2pwj-7xfy-zkh3
vulnerability_id VCID-2pwj-7xfy-zkh3
summary 
Inclusion of Functionality from Untrusted Control Sphere
Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh
rm vendor/composer/installed.php vendor/composer/InstalledVersions.php
composer install --no-scripts --no-plugins
```
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-24821
reference_id
reference_type
scores
0
value 0.00132
scoring_system epss
scoring_elements 0.32367
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-24821
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24821
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24821
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/composer/composer
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/composer/composer
4
reference_url https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-11T18:11:46Z/
url https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5
5
reference_url https://github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/composer/composer/commit/77e3982918bc1d886843dc3d5e575e7e871b27b7
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-24821
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-24821
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063603
reference_id 1063603
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063603
8
reference_url https://github.com/advisories/GHSA-7c6p-848j-wh5h
reference_id GHSA-7c6p-848j-wh5h
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7c6p-848j-wh5h
9
reference_url https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
reference_id GHSA-7c6p-848j-wh5h
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-11T18:11:46Z/
url https://github.com/composer/composer/security/advisories/GHSA-7c6p-848j-wh5h
10
reference_url https://usn.ubuntu.com/7603-1/
reference_id USN-7603-1
reference_type
scores
url https://usn.ubuntu.com/7603-1/
fixed_packages
0
url pkg:composer/composer/composer@2.2.23
purl pkg:composer/composer/composer@2.2.23
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-52e4-4t6n-p3e9
2
vulnerability VCID-hnah-ry8y-77d6
3
vulnerability VCID-q7kj-g74r-s7ec
4
vulnerability VCID-v9rg-9gpu-23h6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.23
1
url pkg:composer/composer/composer@2.3.0-RC1
purl pkg:composer/composer/composer@2.3.0-RC1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1
2
url pkg:composer/composer/composer@2.7.0
purl pkg:composer/composer/composer@2.7.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-52e4-4t6n-p3e9
2
vulnerability VCID-hnah-ry8y-77d6
3
vulnerability VCID-q7kj-g74r-s7ec
4
vulnerability VCID-v9rg-9gpu-23h6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.7.0
aliases CVE-2024-24821, GHSA-7c6p-848j-wh5h
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2pwj-7xfy-zkh3
2
url VCID-52e4-4t6n-p3e9
vulnerability_id VCID-52e4-4t6n-p3e9
summary 
Composer is vulnerable to ANSI sequence injection
Attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application.

There is no proven exploit and this has thus a low severity but Composer still published a CVE as it has potential for abuse, and Composer wants to be on the safe side informing users that they should upgrade.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-67746.json
reference_id
reference_type
scores
0
value 3.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-67746.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-67746
reference_id
reference_type
scores
0
value 0.00018
scoring_system epss
scoring_elements 0.04998
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-67746
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-67746
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-67746
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 3.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/composer/composer
reference_id
reference_type
scores
0
value 1.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/composer/composer
5
reference_url https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
reference_id
reference_type
scores
0
value 1.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-30T17:17:14Z/
url https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917
6
reference_url https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71
reference_id
reference_type
scores
0
value 1.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-30T17:17:14Z/
url https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71
7
reference_url https://github.com/composer/composer/releases/tag/2.2.26
reference_id
reference_type
scores
0
value 1.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-30T17:17:14Z/
url https://github.com/composer/composer/releases/tag/2.2.26
8
reference_url https://github.com/composer/composer/releases/tag/2.9.3
reference_id
reference_type
scores
0
value 1.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
1
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-30T17:17:14Z/
url https://github.com/composer/composer/releases/tag/2.9.3
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2426283
reference_id 2426283
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2426283
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-67746
reference_id CVE-2025-67746
reference_type
scores
0
value 1.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-67746
11
reference_url https://github.com/advisories/GHSA-59pp-r3rg-353g
reference_id GHSA-59pp-r3rg-353g
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-59pp-r3rg-353g
12
reference_url https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g
reference_id GHSA-59pp-r3rg-353g
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 1.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U
2
value 1.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-30T17:17:14Z/
url https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g
13
reference_url https://access.redhat.com/errata/RHSA-2026:8165
reference_id RHSA-2026:8165
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8165
fixed_packages
0
url pkg:composer/composer/composer@2.2.26
purl pkg:composer/composer/composer@2.2.26
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-q7kj-g74r-s7ec
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.26
1
url pkg:composer/composer/composer@2.3.0-RC1
purl pkg:composer/composer/composer@2.3.0-RC1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1
2
url pkg:composer/composer/composer@2.9.3
purl pkg:composer/composer/composer@2.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-q7kj-g74r-s7ec
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.9.3
aliases CVE-2025-67746, GHSA-59pp-r3rg-353g
risk_score 1.6
exploitability 0.5
weighted_severity 3.1
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-52e4-4t6n-p3e9
3
url VCID-8zzn-tauw-mydc
vulnerability_id VCID-8zzn-tauw-mydc
summary 
Improper Input Validation
Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-24828
reference_id
reference_type
scores
0
value 0.00167
scoring_system epss
scoring_elements 0.3758
published_at 2026-06-05T12:55:00Z
1
value 0.00167
scoring_system epss
scoring_elements 0.37487
published_at 2026-06-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-24828
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24828
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24828
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/composer/composer
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/composer/composer
4
reference_url https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709
5
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2022-24828.yaml
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2022-24828.yaml
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/625MT3IKWKFVIWLSYZFSXHVUA2LES7YQ/
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GWT6LDSRY7SFMTDZWJ4MS2ZBXHL7VQEF/
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG/
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QD7JQWL6C4GVROO25DTXWYWM6BPOPPCG/
12
reference_url https://www.tenable.com/security/tns-2022-09
reference_id
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.tenable.com/security/tns-2022-09
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009960
reference_id 1009960
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009960
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-24828
reference_id CVE-2022-24828
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-24828
15
reference_url https://github.com/advisories/GHSA-x7cr-6qr6-2hh6
reference_id GHSA-x7cr-6qr6-2hh6
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x7cr-6qr6-2hh6
16
reference_url https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
reference_id GHSA-x7cr-6qr6-2hh6
reference_type
scores
0
value 8.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/composer/composer/security/advisories/GHSA-x7cr-6qr6-2hh6
17
reference_url https://security.gentoo.org/glsa/202508-06
reference_id GLSA-202508-06
reference_type
scores
url https://security.gentoo.org/glsa/202508-06
18
reference_url https://usn.ubuntu.com/7603-1/
reference_id USN-7603-1
reference_type
scores
url https://usn.ubuntu.com/7603-1/
fixed_packages
0
url pkg:composer/composer/composer@2.2.12
purl pkg:composer/composer/composer@2.2.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-2pwj-7xfy-zkh3
2
vulnerability VCID-52e4-4t6n-p3e9
3
vulnerability VCID-bfsn-ds7s-j3ha
4
vulnerability VCID-hnah-ry8y-77d6
5
vulnerability VCID-q7kj-g74r-s7ec
6
vulnerability VCID-v9rg-9gpu-23h6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.12
1
url pkg:composer/composer/composer@2.3.5
purl pkg:composer/composer/composer@2.3.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-2pwj-7xfy-zkh3
2
vulnerability VCID-52e4-4t6n-p3e9
3
vulnerability VCID-bfsn-ds7s-j3ha
4
vulnerability VCID-hnah-ry8y-77d6
5
vulnerability VCID-q7kj-g74r-s7ec
6
vulnerability VCID-v9rg-9gpu-23h6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.5
aliases CVE-2022-24828, GHSA-x7cr-6qr6-2hh6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8zzn-tauw-mydc
4
url VCID-bfsn-ds7s-j3ha
vulnerability_id VCID-bfsn-ds7s-j3ha
summary 
Composer Remote Code Execution vulnerability via web-accessible composer.phar
Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-43655
reference_id
reference_type
scores
0
value 0.01575
scoring_system epss
scoring_elements 0.81917
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-43655
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43655
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-43655
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/composer/composer
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/composer/composer
4
reference_url https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/
url https://github.com/composer/composer/commit/4fce14795aba98e40b6c4f5047305aba17a6120d
5
reference_url https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/
url https://github.com/composer/composer/commit/955a48e6319c8962e5cd421b07c00ab3c728968c
6
reference_url https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/
url https://github.com/composer/composer/commit/95e091c921037b7b6564942845e7b738f6b95c9c
7
reference_url https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html
reference_id
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/
url https://lists.debian.org/debian-lts-announce/2024/03/msg00030.html
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2
11
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/
reference_id 66H2WKFUO255T3BZTL72TNYJYH2XM5FG
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/66H2WKFUO255T3BZTL72TNYJYH2XM5FG/
12
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/
reference_id 7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7AWYAUZNH565NWPIKGEIYBWHYNM5JGAE/
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-43655
reference_id CVE-2023-43655
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-43655
14
reference_url https://github.com/advisories/GHSA-jm6m-4632-36hf
reference_id GHSA-jm6m-4632-36hf
reference_type
scores
url https://github.com/advisories/GHSA-jm6m-4632-36hf
15
reference_url https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf
reference_id GHSA-jm6m-4632-36hf
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/
url https://github.com/composer/composer/security/advisories/GHSA-jm6m-4632-36hf
16
reference_url https://security.gentoo.org/glsa/202508-06
reference_id GLSA-202508-06
reference_type
scores
url https://security.gentoo.org/glsa/202508-06
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/
reference_id KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-09-23T16:22:54Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KFOPGPW2KS37O3KJWBRGTUWHTXCQXBS2/
18
reference_url https://usn.ubuntu.com/7603-1/
reference_id USN-7603-1
reference_type
scores
url https://usn.ubuntu.com/7603-1/
fixed_packages
0
url pkg:composer/composer/composer@2.2.22
purl pkg:composer/composer/composer@2.2.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-2pwj-7xfy-zkh3
2
vulnerability VCID-52e4-4t6n-p3e9
3
vulnerability VCID-hnah-ry8y-77d6
4
vulnerability VCID-q7kj-g74r-s7ec
5
vulnerability VCID-v9rg-9gpu-23h6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.22
1
url pkg:composer/composer/composer@2.3.0-RC1
purl pkg:composer/composer/composer@2.3.0-RC1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1
2
url pkg:composer/composer/composer@2.6.4
purl pkg:composer/composer/composer@2.6.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-2pwj-7xfy-zkh3
2
vulnerability VCID-52e4-4t6n-p3e9
3
vulnerability VCID-hnah-ry8y-77d6
4
vulnerability VCID-q7kj-g74r-s7ec
5
vulnerability VCID-v9rg-9gpu-23h6
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.6.4
aliases CVE-2023-43655, GHSA-jm6m-4632-36hf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bfsn-ds7s-j3ha
5
url VCID-hnah-ry8y-77d6
vulnerability_id VCID-hnah-ry8y-77d6
summary 
Composer has a command injection via malicious git branch name
The `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-35241
reference_id
reference_type
scores
0
value 0.00442
scoring_system epss
scoring_elements 0.63649
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-35241
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35241
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35241
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35242
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35242
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/composer/composer
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/composer/composer
5
reference_url https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:42:58Z/
url https://github.com/composer/composer/commit/b93fc6ca437da35ae73d667d0618749c763b67d4
6
reference_url https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:42:58Z/
url https://github.com/composer/composer/commit/ee28354ca8d33c15949ad7de2ce6656ba3f68704
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073125
reference_id 1073125
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073125
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-35241
reference_id CVE-2024-35241
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-35241
11
reference_url https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability
reference_id CVE-2024-35241-DETECT-COMPOSER-VULNERABILITY
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.vicarius.io/vsociety/posts/cve-2024-35241-detect-composer-vulnerability
12
reference_url https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer
reference_id CVE-2024-35241-MITIGATE-VULNERABLE-COMPOSER
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.vicarius.io/vsociety/posts/cve-2024-35241-mitigate-vulnerable-composer
13
reference_url https://github.com/advisories/GHSA-47f6-5gq3-vx9c
reference_id GHSA-47f6-5gq3-vx9c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-47f6-5gq3-vx9c
14
reference_url https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
reference_id GHSA-47f6-5gq3-vx9c
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:42:58Z/
url https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/
reference_id PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:42:58Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/
16
reference_url https://usn.ubuntu.com/7603-1/
reference_id USN-7603-1
reference_type
scores
url https://usn.ubuntu.com/7603-1/
17
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/
reference_id VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:42:58Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/
fixed_packages
0
url pkg:composer/composer/composer@2.2.24
purl pkg:composer/composer/composer@2.2.24
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-52e4-4t6n-p3e9
2
vulnerability VCID-q7kj-g74r-s7ec
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.24
1
url pkg:composer/composer/composer@2.3.0-RC1
purl pkg:composer/composer/composer@2.3.0-RC1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1
2
url pkg:composer/composer/composer@2.7.7
purl pkg:composer/composer/composer@2.7.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-52e4-4t6n-p3e9
2
vulnerability VCID-q7kj-g74r-s7ec
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.7.7
aliases CVE-2024-35241, GHSA-47f6-5gq3-vx9c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hnah-ry8y-77d6
6
url VCID-q7kj-g74r-s7ec
vulnerability_id VCID-q7kj-g74r-s7ec
summary composer: command injection via malicious Perforce source reference/url
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40261.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-40261.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40261
reference_id
reference_type
scores
0
value 0.0005
scoring_system epss
scoring_elements 0.15931
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40261
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40261
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-40261
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/composer/composer
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/composer/composer
5
reference_url https://github.com/composer/composer/releases/tag/2.9.6
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:41:03Z/
url https://github.com/composer/composer/releases/tag/2.9.6
6
reference_url https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-16T13:41:03Z/
url https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q
7
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40261.yaml
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/composer/composer/CVE-2026-40261.yaml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40261
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40261
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2458841
reference_id 2458841
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2458841
10
reference_url https://github.com/advisories/GHSA-gqw4-4w2p-838q
reference_id GHSA-gqw4-4w2p-838q
reference_type
scores
url https://github.com/advisories/GHSA-gqw4-4w2p-838q
11
reference_url https://access.redhat.com/errata/RHSA-2026:8165
reference_id RHSA-2026:8165
reference_type
scores
url https://access.redhat.com/errata/RHSA-2026:8165
fixed_packages
0
url pkg:composer/composer/composer@2.2.27
purl pkg:composer/composer/composer@2.2.27
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.27
1
url pkg:composer/composer/composer@2.3.0-RC1
purl pkg:composer/composer/composer@2.3.0-RC1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1
2
url pkg:composer/composer/composer@2.9.6
purl pkg:composer/composer/composer@2.9.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.9.6
3
url pkg:composer/composer/composer@2.10.0-RC1
purl pkg:composer/composer/composer@2.10.0-RC1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.10.0-RC1
aliases CVE-2026-40261, GHSA-gqw4-4w2p-838q
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q7kj-g74r-s7ec
7
url VCID-v9rg-9gpu-23h6
vulnerability_id VCID-v9rg-9gpu-23h6
summary 
Composer has multiple command injections via malicious git/hg branch names
The `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-35242
reference_id
reference_type
scores
0
value 0.23787
scoring_system epss
scoring_elements 0.96115
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-35242
1
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35241
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35241
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35242
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35242
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/composer/composer
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/composer/composer
5
reference_url https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:44:05Z/
url https://github.com/composer/composer/commit/6bd43dff859c597c09bd03a7e7d6443822d0a396
6
reference_url https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:44:05Z/
url https://github.com/composer/composer/commit/fc57b93603d7d90b71ca8ec77b1c8a9171fdb467
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073126
reference_id 1073126
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073126
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-35242
reference_id CVE-2024-35242
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-35242
11
reference_url https://github.com/advisories/GHSA-v9qv-c7wm-wgmf
reference_id GHSA-v9qv-c7wm-wgmf
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v9qv-c7wm-wgmf
12
reference_url https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
reference_id GHSA-v9qv-c7wm-wgmf
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:44:05Z/
url https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
13
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/
reference_id PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:44:05Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PO4MU2BC7VR6LMHEX4X7DKGHVFXZV2MC/
14
reference_url https://usn.ubuntu.com/7603-1/
reference_id USN-7603-1
reference_type
scores
url https://usn.ubuntu.com/7603-1/
15
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/
reference_id VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-15T20:44:05Z/
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VLPJHM2WWSYU2F6KHW2BYFGYL4IGTKHC/
fixed_packages
0
url pkg:composer/composer/composer@2.2.24
purl pkg:composer/composer/composer@2.2.24
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-52e4-4t6n-p3e9
2
vulnerability VCID-q7kj-g74r-s7ec
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.24
1
url pkg:composer/composer/composer@2.3.0-RC1
purl pkg:composer/composer/composer@2.3.0-RC1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.3.0-RC1
2
url pkg:composer/composer/composer@2.7.7
purl pkg:composer/composer/composer@2.7.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1sk6-xbn9-q7es
1
vulnerability VCID-52e4-4t6n-p3e9
2
vulnerability VCID-q7kj-g74r-s7ec
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.7.7
aliases CVE-2024-35242, GHSA-v9qv-c7wm-wgmf
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v9rg-9gpu-23h6
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/composer/composer@2.2.0-RC1