HIGH8.8CVE-2026-40261Composer has a command injection via malicious perforce reference >= 2.3.0, < 2.9.6
HIGH8.8CVE-2024-35241Composer has a command injection via malicious git branch name >= 2.0, < 2.2.24
HIGH8.8CVE-2024-35242Composer has multiple command injections via malicious git/hg branch names >= 2.0, < 2.2.24
HIGH8.8Composer code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php
>= 2.0.0-alpha1, < 2.2.23
HIGH8.8Composer Remote Code Execution vulnerability via web-accessible composer.phar
from 0, < 1.10.27
HIGH8.8Composer allows cache poisoning from other projects built on the same host
from 0, < 1.0.0
HIGH8.8Composer's missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial
from 0, < 1.10.22
HIGH8.3Missing input validation can lead to command execution in composer
from 0, < 1.10.26
HIGH8.2Improper escaping of command arguments on Windows leading to command injection
from 0, < 1.10.23
HIGH7.8Composer has a command injection via malicious perforce repository
>= 2.3.0, < 2.9.6
HIGH7.5Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs
>= 2.3.0, < 2.9.8
MEDIUM4.3Composer is vulnerable to ANSI sequence injection
>= 2.0.0, < 2.2.26