HIGH8.8CVE-2026-40261Composer has Command Injection via Malicious Perforce Reference >= 1.0.0, < 2.2.27, >= 2.3.0, < 2.9.6
HIGH8.8CVE-2024-35241Composer vulnerable to command injection via malicious git branch name >= 2.0.0, < 2.2.24, >= 2.3.0, < 2.7.7
HIGH8.8CVE-2024-35242Composer vulnerable to command injection via malicious git/hg branch names >= 2.0.0, < 2.2.24, >= 2.3.0, < 2.7.7
HIGH8.8Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php in Composer
>= 2.0.0, < 2.2.23, >= 2.3.0, < 2.7.0
HIGH8.8Remote Code Execution via web-accessible composer.phar
from 0, < 1.10.27, >= 2.0.0, < 2.2.21, >= 2.3.0, < 2.6.4
HIGH8.8Missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial in composer
from 0, < 1.10.22, >= 2.0.0, < 2.0.13
HIGH8.3Missing input validation can lead to command execution in composer
from 0, < 1.10.26, >= 2.0.0, < 2.2.12, >= 2.3.0, < 2.3.5
HIGH8.2Command injection in composer on Windows
from 0, < 1.10.23, >= 2.0.0, < 2.1.9
HIGH7.8Composer is vulnerable to Command Injection via Malicious Perforce Repository
>= 1.0.0, < 2.2.27, >= 2.3.0, < 2.9.6
MEDIUM4.3Composer vulnerable to ANSI sequence injection
>= 2.0.0, < 2.2.26, >= 2.3.0, < 2.9.3