VulnerableCode Package Details - pkg:composer/composer/composer@1.6.3

Vulnerabilities affecting this package (6)

Vulnerability	Summary	Fixed by
VCID-7rc9-6ar5-9fak Aliases: CVE-2021-41116 GHSA-frqg-7g38-6gcf	arbitrary command execution	1.10.23 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.0.0-RC1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.1.9 Affected by 8 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-8pap-8xmr-m3ha Aliases: CVE-2026-40176 GHSA-wg36-wvj6-r67p		2.2.27 Affected by 0 other vulnerabilities. 2.3.0-RC1 Affected by 0 other vulnerabilities. 2.9.6 Affected by 0 other vulnerabilities. 2.10.0-RC1 Affected by 0 other vulnerabilities.
VCID-bnyz-f4w9-27at Aliases: CVE-2021-29472 GHSA-h5h8-pc6h-jvvx	arbitrary code execution	1.10.22 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.0.13 Affected by 9 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-fzya-vz4m-5yhu Aliases: CVE-2023-43655 GHSA-jm6m-4632-36hf	Composer Remote Code Execution vulnerability via web-accessible composer.phar Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini.	1.10.27 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.0.0-RC1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.2.22 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.0-RC1 Affected by 0 other vulnerabilities. 2.6.4 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-kpnb-b563-1yft Aliases: CVE-2026-40261 GHSA-gqw4-4w2p-838q		2.2.27 Affected by 0 other vulnerabilities. 2.3.0-RC1 Affected by 0 other vulnerabilities. 2.9.6 Affected by 0 other vulnerabilities. 2.10.0-RC1 Affected by 0 other vulnerabilities.
VCID-xjjm-qjy8-aken Aliases: CVE-2022-24828 GHSA-x7cr-6qr6-2hh6	Improper Input Validation Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.	1.10.26 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.2.12 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.5 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Next non-vulnerable version	1.10.28
Latest non-vulnerable version	2.10.0-RC1
Risk	4.0

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-01T10:44:51.294217+00:00	GitLab Importer	Affected by	VCID-kpnb-b563-1yft	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2026-40261.yml	38.6.0
2026-06-01T10:43:34.550587+00:00	GitLab Importer	Affected by	VCID-8pap-8xmr-m3ha	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2026-40176.yml	38.6.0
2026-06-01T07:39:36.507036+00:00	GitLab Importer	Affected by	VCID-fzya-vz4m-5yhu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2023-43655.yml	38.6.0
2026-06-01T06:36:27.788555+00:00	GitLab Importer	Affected by	VCID-xjjm-qjy8-aken	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2022-24828.yml	38.6.0
2026-06-01T06:18:48.564267+00:00	GitLab Importer	Affected by	VCID-7rc9-6ar5-9fak	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2021-41116.yml	38.6.0
2026-06-01T06:07:26.654149+00:00	GitLab Importer	Affected by	VCID-bnyz-f4w9-27at	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2021-29472.yml	38.6.0