Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:composer/composer/composer@1.10.26
purl pkg:composer/composer/composer@1.10.26
Next non-vulnerable version 1.10.28
Latest non-vulnerable version 2.9.8
Risk
Vulnerabilities affecting this package (3)
Vulnerability Summary Fixed by
VCID-8pap-8xmr-m3ha
Aliases:
CVE-2026-40176
GHSA-wg36-wvj6-r67p
2.10.0-RC1
Affected by 0 other vulnerabilities.
2.2.27
Affected by 0 other vulnerabilities.
2.3.0-RC1
Affected by 0 other vulnerabilities.
2.9.6
Affected by 0 other vulnerabilities.
VCID-fzya-vz4m-5yhu
Aliases:
CVE-2023-43655
GHSA-jm6m-4632-36hf
Composer Remote Code Execution vulnerability via web-accessible composer.phar Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini.
1.10.27
Affected by 2 other vulnerabilities.
2.0.0-RC1
Affected by 2 other vulnerabilities.
2.2.22
Affected by 6 other vulnerabilities.
2.3.0-RC1
Affected by 0 other vulnerabilities.
2.6.4
Affected by 6 other vulnerabilities.
VCID-kpnb-b563-1yft
Aliases:
CVE-2026-40261
GHSA-gqw4-4w2p-838q
2.10.0-RC1
Affected by 0 other vulnerabilities.
2.2.27
Affected by 0 other vulnerabilities.
2.3.0-RC1
Affected by 0 other vulnerabilities.
2.9.6
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-xjjm-qjy8-aken Improper Input Validation Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report. CVE-2022-24828
GHSA-x7cr-6qr6-2hh6

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-01T10:44:51.503371+00:00 GitLab Importer Affected by VCID-kpnb-b563-1yft https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2026-40261.yml 38.6.0
2026-06-01T10:43:34.767913+00:00 GitLab Importer Affected by VCID-8pap-8xmr-m3ha https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2026-40176.yml 38.6.0
2026-06-01T07:39:36.708346+00:00 GitLab Importer Affected by VCID-fzya-vz4m-5yhu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2023-43655.yml 38.6.0
2026-05-31T11:20:22.130109+00:00 GithubOSV Importer Fixing VCID-xjjm-qjy8-aken https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-x7cr-6qr6-2hh6/GHSA-x7cr-6qr6-2hh6.json 38.6.0
2026-05-31T00:55:55.720495+00:00 GHSA Importer Fixing VCID-xjjm-qjy8-aken https://github.com/advisories/GHSA-x7cr-6qr6-2hh6 38.6.0
2026-05-30T20:57:43.644629+00:00 GitLab Importer Fixing VCID-xjjm-qjy8-aken https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2022-24828.yml 38.6.0