Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

composer — Vulnerabilities & Security Advisories 11

Browse all 11 CVE security advisories affecting composer. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Composer is a dependency manager for PHP that enables developers to manage project libraries and their dependencies. Historically, it has been associated with vulnerabilities like remote code execution (RCE), cross-site scripting (XSS), and privilege escalation, often through compromised packages or insecure configurations. Notable security characteristics include its extensive package repository and automatic dependency resolution, which can introduce risks if not properly monitored. Major incidents include supply chain attacks where malicious code was injected into popular packages, leading to widespread exploitation. The tool's widespread adoption in PHP ecosystems makes it a critical component requiring robust security practices to mitigate potential threats from its package ecosystem.

Top products by composer: composer windows-setup
CVE IDTitleCVSSSeverityPublished
CVE-2026-40261 Composer has Command Injection via Malicious Perforce Reference — composerCWE-78 8.8 High2026-04-15
CVE-2026-40176 Composer is vulnerable to Command Injection via Malicious Perforce Repository — composerCWE-20 7.8 High2026-04-15
CVE-2025-67746 Composer vulnerable to ANSI sequence injection — composerCWE-74 8.1 -2025-12-30
CVE-2024-35242 Composer vulnerable to command injection via malicious git/hg branch names — composerCWE-77 8.8 High2024-06-10
CVE-2024-35241 Composer vulnerable to command injection via malicious git branch name — composerCWE-77 8.8 High2024-06-10
CVE-2024-24821 Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php in Composer — composerCWE-829 8.8 High2024-02-08
CVE-2023-43655 Remote Code Execution via web-accessible composer.phar — composerCWE-74 6.4 Medium2023-09-29
CVE-2022-24828 Missing input validation can lead to command execution in composer — composerCWE-20 8.3 High2022-04-13
CVE-2021-41116 Command injection in composer on Windows — composerCWE-77 8.2 High2021-10-05
CVE-2021-29472 Missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial in composer — composerCWE-88 8.8 High2021-04-27
CVE-2020-15145 Local privilege elevation in Composer-Setup for Windows — windows-setupCWE-276 6.7 Medium2020-08-14

This page lists every published CVE security advisory associated with composer. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.