Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Composer — Vulnerabilities & Security Advisories 14

All 14 CVE vulnerabilities found in Composer, with AI-generated Chinese analysis, references, and POCs.

This page provides a comprehensive aggregation of Common Weakness Enumeration (CWE) vulnerabilities associated with the composer dependency management tool. It serves as a centralized resource for security researchers and developers to analyze the specific security weaknesses affecting this widely used PHP package manager. The content collected here spans a broad historical period, capturing all recorded incidents from the tool's initial public release through the present day. This extensive timeline allows for a longitudinal analysis of security trends and the evolution of patching responses within the composer ecosystem. Readers can utilize this data to track vendor advisories and monitor the timeline of security disclosures related to composer. Furthermore, the page facilitates a deeper understanding of specific weakness classes by contextualizing them within real-world software failures. Users can also look up a product's vulnerability history to identify recurring patterns or critical vulnerabilities that have impacted the integrity of PHP projects. This aggregation supports informed decision-making by providing a clear view of the security posture surrounding composer. It highlights how common weaknesses manifest in package resolution, dependency checking, and authentication mechanisms. By consolidating these details, the page offers a factual basis for assessing risk and implementing appropriate mitigations in development workflows. The information is presented objectively to aid in technical assessment rather than promotion.

Vendor: composer

CVE IDTitleCVSSSeverityPublished
CVE-2026-59947 Composer: URL-embedded HTTP-Basic username leaks to verbose logs (GitHub PAT exposure) CWE-532 4.7 Medium2026-07-08
CVE-2026-59948 Composer: Arbitrary file write outside vendor via malicious transitive package name CWE-22 7.0 High2026-07-08
CVE-2026-59946 Composer: Path traversal in package bin field lets dependencies chmod arbitrary host files CWE-22 6.1 Medium2026-07-08
CVE-2026-10043 MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability CWE-502--2026-06-24
CVE-2026-40261 Composer has Command Injection via Malicious Perforce Reference CWE-78 8.8 High2026-04-15
CVE-2026-40176 Composer is vulnerable to Command Injection via Malicious Perforce Repository CWE-20 7.8 High2026-04-15
CVE-2025-67746 Composer vulnerable to ANSI sequence injection CWE-74 8.1 -2025-12-30
CVE-2024-35242 Composer vulnerable to command injection via malicious git/hg branch names CWE-77 8.8 High2024-06-10
CVE-2024-35241 Composer vulnerable to command injection via malicious git branch name CWE-77 8.8 High2024-06-10
CVE-2024-24821 Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php in Composer CWE-829 8.8 High2024-02-08
CVE-2023-43655 Remote Code Execution via web-accessible composer.phar CWE-74 6.4 Medium2023-09-29
CVE-2022-24828 Missing input validation can lead to command execution in composer CWE-20 8.3 High2022-04-13
CVE-2021-41116 Command injection in composer on Windows CWE-77 8.2 High2021-10-05
CVE-2021-29472 Missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial in composer CWE-88 8.8 High2021-04-27

All 14 known CVE vulnerabilities affecting Composer with full Chinese analysis, references, and POCs where available.