VulnerableCode Package Details - pkg:composer/composer/composer@2.8.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-1sk6-xbn9-q7es Aliases: CVE-2026-40176 GHSA-wg36-wvj6-r67p	composer: command injection via malicious Perforce repository definition	2.9.6 Affected by 0 other vulnerabilities. 2.10.0-RC1 Affected by 0 other vulnerabilities.
VCID-52e4-4t6n-p3e9 Aliases: CVE-2025-67746 GHSA-59pp-r3rg-353g	Composer is vulnerable to ANSI sequence injection Attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but Composer still published a CVE as it has potential for abuse, and Composer wants to be on the safe side informing users that they should upgrade.	2.9.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-q7kj-g74r-s7ec Aliases: CVE-2026-40261 GHSA-gqw4-4w2p-838q	composer: command injection via malicious Perforce source reference/url	2.9.6 Affected by 0 other vulnerabilities. 2.10.0-RC1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1sk6-xbn9-q7es
Aliases:
CVE-2026-40176
GHSA-wg36-wvj6-r67p

composer: command injection via malicious Perforce repository definition

2.9.6
Affected by 0 other vulnerabilities.

2.10.0-RC1
Affected by 0 other vulnerabilities.

VCID-52e4-4t6n-p3e9
Aliases:
CVE-2025-67746
GHSA-59pp-r3rg-353g

Composer is vulnerable to ANSI sequence injection Attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but Composer still published a CVE as it has potential for abuse, and Composer wants to be on the safe side informing users that they should upgrade.

2.9.3
Affected by 2 other vulnerabilities.

VCID-q7kj-g74r-s7ec
Aliases:
CVE-2026-40261
GHSA-gqw4-4w2p-838q

composer: command injection via malicious Perforce source reference/url

2.9.6
Affected by 0 other vulnerabilities.

2.10.0-RC1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T08:01:52.843660+00:00	GitLab Importer	Affected by	VCID-q7kj-g74r-s7ec	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2026-40261.yml	38.6.0
2026-06-06T07:59:32.541740+00:00	GitLab Importer	Affected by	VCID-1sk6-xbn9-q7es	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2026-40176.yml	38.6.0
2026-06-06T06:33:58.425991+00:00	GitLab Importer	Affected by	VCID-52e4-4t6n-p3e9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/composer/composer/CVE-2025-67746.yml	38.6.0