VulnerableCode Package Details - pkg:composer/composer/composer@1.10.23

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:composer/composer/composer@1.10.23

Essentials
History (7)

purl	pkg:composer/composer/composer@1.10.23

Next non-vulnerable version	1.10.28
Latest non-vulnerable version	2.10.0-RC1
Risk	4.0

Vulnerabilities affecting this package (4)

Vulnerability	Summary	Fixed by
VCID-8pap-8xmr-m3ha Aliases: CVE-2026-40176 GHSA-wg36-wvj6-r67p		2.2.27 Affected by 0 other vulnerabilities. 2.3.0-RC1 Affected by 0 other vulnerabilities. 2.9.6 Affected by 0 other vulnerabilities. 2.10.0-RC1 Affected by 0 other vulnerabilities.
VCID-fzya-vz4m-5yhu Aliases: CVE-2023-43655 GHSA-jm6m-4632-36hf	Composer Remote Code Execution vulnerability via web-accessible composer.phar Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini.	1.10.27 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.0.0-RC1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.2.22 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.0-RC1 Affected by 0 other vulnerabilities. 2.6.4 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-kpnb-b563-1yft Aliases: CVE-2026-40261 GHSA-gqw4-4w2p-838q		2.2.27 Affected by 0 other vulnerabilities. 2.3.0-RC1 Affected by 0 other vulnerabilities. 2.9.6 Affected by 0 other vulnerabilities. 2.10.0-RC1 Affected by 0 other vulnerabilities.
VCID-xjjm-qjy8-aken Aliases: CVE-2022-24828 GHSA-x7cr-6qr6-2hh6	Improper Input Validation Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.	1.10.26 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.2.12 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.5 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-7rc9-6ar5-9fak	arbitrary command execution	CVE-2021-41116 GHSA-frqg-7g38-6gcf

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T10:44:51.487896+00:00	GitLab Importer	Affected by	VCID-kpnb-b563-1yft	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2026-40261.yml	38.6.0
2026-06-01T10:43:34.754314+00:00	GitLab Importer	Affected by	VCID-8pap-8xmr-m3ha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2026-40176.yml	38.6.0
2026-06-01T07:39:36.695140+00:00	GitLab Importer	Affected by	VCID-fzya-vz4m-5yhu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2023-43655.yml	38.6.0
2026-06-01T06:36:27.987164+00:00	GitLab Importer	Affected by	VCID-xjjm-qjy8-aken	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2022-24828.yml	38.6.0
2026-05-31T21:34:12.961354+00:00	GHSA Importer	Fixing	VCID-7rc9-6ar5-9fak	https://github.com/advisories/GHSA-frqg-7g38-6gcf	38.6.0
2026-05-31T11:11:09.991026+00:00	GithubOSV Importer	Fixing	VCID-7rc9-6ar5-9fak	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/10/GHSA-frqg-7g38-6gcf/GHSA-frqg-7g38-6gcf.json	38.6.0
2026-05-30T20:55:55.875969+00:00	GitLab Importer	Fixing	VCID-7rc9-6ar5-9fak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2021-41116.yml	38.6.0