Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-67746 (GCVE-0-2025-67746)
Vulnerability from cvelistv5 – Published: 2025-12-30 16:11 – Updated: 2025-12-30 17:30
VLAI
EPSS
Title
Composer vulnerable to ANSI sequence injection
Summary
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.
Severity
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/composer/composer/security/adv… | x_refsource_CONFIRM |
| https://github.com/composer/composer/commit/1d40a… | x_refsource_MISC |
| https://github.com/composer/composer/commit/5db18… | x_refsource_MISC |
| https://github.com/composer/composer/releases/tag… | x_refsource_MISC |
| https://github.com/composer/composer/releases/tag/2.9.3 | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-67746",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-30T17:17:14.852114Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T17:30:04.562Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "composer",
"vendor": "composer",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0, \u003c 2.2.26"
},
{
"status": "affected",
"version": "\u003e= 2.3, \u003c 2.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 1.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-30T16:11:04.776Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g"
},
{
"name": "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917"
},
{
"name": "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71"
},
{
"name": "https://github.com/composer/composer/releases/tag/2.2.26",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/composer/releases/tag/2.2.26"
},
{
"name": "https://github.com/composer/composer/releases/tag/2.9.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/composer/composer/releases/tag/2.9.3"
}
],
"source": {
"advisory": "GHSA-59pp-r3rg-353g",
"discovery": "UNKNOWN"
},
"title": "Composer vulnerable to ANSI sequence injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-67746",
"datePublished": "2025-12-30T16:11:04.776Z",
"dateReserved": "2025-12-11T18:08:02.947Z",
"dateUpdated": "2025-12-30T17:30:04.562Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-67746",
"date": "2026-05-27",
"epss": "0.00035",
"percentile": "0.10754"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-67746\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-30T16:15:47.170\",\"lastModified\":\"2026-02-25T14:54:30.833\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":1.3,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.2.26\",\"matchCriteriaId\":\"6B8D068B-A6E3-4084-A8C4-07CA81E267A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.3.0\",\"versionEndExcluding\":\"2.9.3\",\"matchCriteriaId\":\"CCCF50D3-91B5-4957-A5B0-50D2B41C5264\"}]}]}],\"references\":[{\"url\":\"https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/composer/composer/releases/tag/2.2.26\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/composer/composer/releases/tag/2.9.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-67746\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-30T17:17:14.852114Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-30T17:27:20.727Z\"}}], \"cna\": {\"title\": \"Composer vulnerable to ANSI sequence injection\", \"source\": {\"advisory\": \"GHSA-59pp-r3rg-353g\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 1.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"composer\", \"product\": \"composer\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 2.0, \u003c 2.2.26\"}, {\"status\": \"affected\", \"version\": \"\u003e= 2.3, \u003c 2.9.3\"}]}], \"references\": [{\"url\": \"https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g\", \"name\": \"https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917\", \"name\": \"https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71\", \"name\": \"https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/composer/composer/releases/tag/2.2.26\", \"name\": \"https://github.com/composer/composer/releases/tag/2.2.26\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/composer/composer/releases/tag/2.9.3\", \"name\": \"https://github.com/composer/composer/releases/tag/2.9.3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-74\", \"description\": \"CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-30T16:11:04.776Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-67746\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-30T17:30:04.562Z\", \"dateReserved\": \"2025-12-11T18:08:02.947Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-30T16:11:04.776Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
bit-composer-2025-67746
Vulnerability from bitnami_vulndb
Published
2026-01-08 11:35
Modified
2026-01-08 12:08
Summary
Composer vulnerable to ANSI sequence injection
Details
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "composer",
"purl": "pkg:bitnami/composer"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.26"
},
{
"introduced": "2.3.0"
},
{
"fixed": "2.9.3"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
],
"aliases": [
"CVE-2025-67746"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:getcomposer:composer:*:*:*:*:*:php:*:*"
],
"severity": "Low"
},
"details": "Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.",
"id": "BIT-composer-2025-67746",
"modified": "2026-01-08T12:08:29.041Z",
"published": "2026-01-08T11:35:54.533Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/releases/tag/2.2.26"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/releases/tag/2.9.3"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67746"
}
],
"schema_version": "1.6.2",
"summary": "Composer vulnerable to ANSI sequence injection"
}
FKIE_CVE-2025-67746
Vulnerability from fkie_nvd - Published: 2025-12-30 16:15 - Updated: 2026-02-25 14:54
Severity
Summary
Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| getcomposer | composer | * | |
| getcomposer | composer | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6B8D068B-A6E3-4084-A8C4-07CA81E267A7",
"versionEndExcluding": "2.2.26",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:getcomposer:composer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CCCF50D3-91B5-4957-A5B0-50D2B41C5264",
"versionEndExcluding": "2.9.3",
"versionStartIncluding": "2.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue."
},
{
"lang": "es",
"value": "Composer es un gestor de dependencias para PHP. En versiones de la rama 2.x anteriores a la 2.2.26 y 2.9.3, atacantes que controlan fuentes remotas de las que Composer descarga podr\u00edan de alguna manera inyectar caracteres de control ANSI en la salida de terminal de varios comandos de Composer, causando una salida distorsionada y potencialmente llevando a confusi\u00f3n o DoS de la aplicaci\u00f3n de terminal. No hay un exploit probado y esto tiene por lo tanto una baja severidad, pero a\u00fan publicamos un CVE ya que tiene potencial de abuso, y queremos estar seguros informando a los usuarios de que deben actualizar. Las versiones 2.2.26 y 2.9.3 contienen un parche para el problema."
}
],
"id": "CVE-2025-67746",
"lastModified": "2026-02-25T14:54:30.833",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 1.3,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-12-30T16:15:47.170",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/composer/composer/releases/tag/2.2.26"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/composer/composer/releases/tag/2.9.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-59PP-R3RG-353G
Vulnerability from github – Published: 2025-12-30 17:44 – Updated: 2025-12-31 22:17
VLAI
Summary
Composer is vulnerable to ANSI sequence injection
Details
Impact
Attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application.
There is no proven exploit and this has thus a low severity but Composer still published a CVE as it has potential for abuse, and Composer wants to be on the safe side informing users that they should upgrade.
Patches
2.2.26 for 2.2 LTS or 2.9.3 for mainline.
Severity
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "composer/composer"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.2.26"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "composer/composer"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.9.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-67746"
],
"database_specific": {
"cwe_ids": [
"CWE-74"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-30T17:44:10Z",
"nvd_published_at": "2025-12-30T16:15:47Z",
"severity": "LOW"
},
"details": "### Impact\nAttackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application.\n\nThere is no proven exploit and this has thus a low severity but Composer still published a CVE as it has potential for abuse, and Composer wants to be on the safe side informing users that they should upgrade.\n\n### Patches\n2.2.26 for 2.2 LTS or 2.9.3 for mainline.",
"id": "GHSA-59pp-r3rg-353g",
"modified": "2025-12-31T22:17:32Z",
"published": "2025-12-30T17:44:10Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67746"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71"
},
{
"type": "PACKAGE",
"url": "https://github.com/composer/composer"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/releases/tag/2.2.26"
},
{
"type": "WEB",
"url": "https://github.com/composer/composer/releases/tag/2.9.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Composer is vulnerable to ANSI sequence injection"
}
OPENSUSE-SU-2026:10054-1
Vulnerability from csaf_opensuse - Published: 2026-01-15 00:00 - Updated: 2026-01-15 00:00Summary
php-composer2-2.9.3-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: php-composer2-2.9.3-1.1 on GA media
Description of the patch: These are all security issues fixed in the php-composer2-2.9.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10054
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.9.3-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.9.3-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.9.3-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:php-composer2-2.9.3-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
References
5 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "php-composer2-2.9.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the php-composer2-2.9.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10054",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10054-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-67746 page",
"url": "https://www.suse.com/security/cve/CVE-2025-67746/"
}
],
"title": "php-composer2-2.9.3-1.1 on GA media",
"tracking": {
"current_release_date": "2026-01-15T00:00:00Z",
"generator": {
"date": "2026-01-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10054-1",
"initial_release_date": "2026-01-15T00:00:00Z",
"revision_history": [
{
"date": "2026-01-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.9.3-1.1.aarch64",
"product": {
"name": "php-composer2-2.9.3-1.1.aarch64",
"product_id": "php-composer2-2.9.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.9.3-1.1.ppc64le",
"product": {
"name": "php-composer2-2.9.3-1.1.ppc64le",
"product_id": "php-composer2-2.9.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.9.3-1.1.s390x",
"product": {
"name": "php-composer2-2.9.3-1.1.s390x",
"product_id": "php-composer2-2.9.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.9.3-1.1.x86_64",
"product": {
"name": "php-composer2-2.9.3-1.1.x86_64",
"product_id": "php-composer2-2.9.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.9.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:php-composer2-2.9.3-1.1.aarch64"
},
"product_reference": "php-composer2-2.9.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.9.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:php-composer2-2.9.3-1.1.ppc64le"
},
"product_reference": "php-composer2-2.9.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.9.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:php-composer2-2.9.3-1.1.s390x"
},
"product_reference": "php-composer2-2.9.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.9.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:php-composer2-2.9.3-1.1.x86_64"
},
"product_reference": "php-composer2-2.9.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-67746",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-67746"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.aarch64",
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.ppc64le",
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.s390x",
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-67746",
"url": "https://www.suse.com/security/cve/CVE-2025-67746"
},
{
"category": "external",
"summary": "SUSE Bug 1255768 for CVE-2025-67746",
"url": "https://bugzilla.suse.com/1255768"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.aarch64",
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.ppc64le",
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.s390x",
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.aarch64",
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.ppc64le",
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.s390x",
"openSUSE Tumbleweed:php-composer2-2.9.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-01-15T00:00:00Z",
"details": "low"
}
],
"title": "CVE-2025-67746"
}
]
}
RHSA-2026:8165
Vulnerability from csaf_redhat - Published: 2026-04-14 17:59 - Updated: 2026-04-27 16:49Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
composer:
* composer-2.9.7-1.hum1 (noarch)
* composer-2.9.7-1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Composer, a dependency manager for PHP. A remote attacker could exploit this by injecting ANSI control characters into the terminal output of various Composer commands when Composer downloads from attacker-controlled remote sources. This can lead to mangled output, causing confusion or a Denial of Service (DoS) of the terminal application.
CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')Affected products
Threats
Impact
Low
A flaw was found in Composer. `Perforce::generateP4Command()` constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping, allowing an attacker to inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository.
7.8 (High)
Affected products
Threats
Impact
Important
A flaw was found in Composer. `Perforce::syncCodeBase()` appends the `$sourceReference` parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.
8.8 (High)
Affected products
Threats
Impact
Important
References
27 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\ncomposer:\n * composer-2.9.7-1.hum1 (noarch)\n * composer-2.9.7-1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:8165",
"url": "https://access.redhat.com/errata/RHSA-2026:8165"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-40261",
"url": "https://access.redhat.com/security/cve/CVE-2026-40261"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-40176",
"url": "https://access.redhat.com/security/cve/CVE-2026-40176"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2025-67746",
"url": "https://access.redhat.com/security/cve/CVE-2025-67746"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_8165.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-04-27T16:49:32+00:00",
"generator": {
"date": "2026-04-27T16:49:32+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.5"
}
},
"id": "RHSA-2026:8165",
"initial_release_date": "2026-04-14T17:59:27+00:00",
"revision_history": [
{
"date": "2026-04-14T17:59:27+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-18T20:00:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-04-27T16:49:32+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "composer-main@noarch",
"product": {
"name": "composer-main@noarch",
"product_id": "composer-main@noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/composer@2.9.7-1.hum1?arch=noarch\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "composer-main@src",
"product": {
"name": "composer-main@src",
"product_id": "composer-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/composer@2.9.7-1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "composer-main@noarch as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:composer-main@noarch"
},
"product_reference": "composer-main@noarch",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "composer-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:composer-main@src"
},
"product_reference": "composer-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-67746",
"cwe": {
"id": "CWE-74",
"name": "Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
},
"discovery_date": "2025-12-30T17:01:39.753133+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2426283"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Composer, a dependency manager for PHP. A remote attacker could exploit this by injecting ANSI control characters into the terminal output of various Composer commands when Composer downloads from attacker-controlled remote sources. This can lead to mangled output, causing confusion or a Denial of Service (DoS) of the terminal application.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "composer: Composer: Terminal output manipulation leading to Denial of Service",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated Low as it primarily affects the terminal output of Composer commands. Exploitation requires an attacker to control remote sources from which Composer downloads, allowing the injection of ANSI control characters. This can lead to mangled output or a denial of service of the terminal application, but not the underlying system.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:composer-main@noarch",
"Red Hat Hardened Images:composer-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2025-67746"
},
{
"category": "external",
"summary": "RHBZ#2426283",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2426283"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2025-67746",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67746"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2025-67746",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67746"
},
{
"category": "external",
"summary": "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917",
"url": "https://github.com/composer/composer/commit/1d40a95c9d39a6b7f80d404ab30336c586da9917"
},
{
"category": "external",
"summary": "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71",
"url": "https://github.com/composer/composer/commit/5db1876a76fdef76d3c4f8a27995c434c7a43e71"
},
{
"category": "external",
"summary": "https://github.com/composer/composer/releases/tag/2.2.26",
"url": "https://github.com/composer/composer/releases/tag/2.2.26"
},
{
"category": "external",
"summary": "https://github.com/composer/composer/releases/tag/2.9.3",
"url": "https://github.com/composer/composer/releases/tag/2.9.3"
},
{
"category": "external",
"summary": "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g",
"url": "https://github.com/composer/composer/security/advisories/GHSA-59pp-r3rg-353g"
}
],
"release_date": "2025-12-30T16:11:04.776000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-14T17:59:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:composer-main@noarch",
"Red Hat Hardened Images:composer-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:8165"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:composer-main@noarch",
"Red Hat Hardened Images:composer-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "composer: Composer: Terminal output manipulation leading to Denial of Service"
},
{
"cve": "CVE-2026-40176",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-04-15T21:00:48.175830+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2458828"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Composer. `Perforce::generateP4Command()` constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping, allowing an attacker to inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "composer: command injection via malicious Perforce repository definition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "To exploit this vulnerability, a user needs to run Composer commands on untrusted projects with attacker-supplied composer.json files. VCS repositories are only loaded from the root composer.json or the composer config directory, so this issue cannot be exploited through composer.json files of packages installed as dependencies. This issue can cause arbitrary command execution but it is limited to the context of the user running Composer. Due to these reasons, this flaw has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:composer-main@noarch",
"Red Hat Hardened Images:composer-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40176"
},
{
"category": "external",
"summary": "RHBZ#2458828",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458828"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40176",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40176"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40176",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40176"
},
{
"category": "external",
"summary": "https://github.com/composer/composer/releases/tag/2.9.6",
"url": "https://github.com/composer/composer/releases/tag/2.9.6"
},
{
"category": "external",
"summary": "https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p",
"url": "https://github.com/composer/composer/security/advisories/GHSA-wg36-wvj6-r67p"
}
],
"release_date": "2026-04-15T20:47:39.839000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-14T17:59:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:composer-main@noarch",
"Red Hat Hardened Images:composer-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:8165"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, only run Composer commands on projects from trusted sources. Also, inspect composer.json files before running Composer commands on them, specifically checking that Perforce-related fields contain valid values.",
"product_ids": [
"Red Hat Hardened Images:composer-main@noarch",
"Red Hat Hardened Images:composer-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:composer-main@noarch",
"Red Hat Hardened Images:composer-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "composer: command injection via malicious Perforce repository definition"
},
{
"cve": "CVE-2026-40261",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"discovery_date": "2026-04-15T22:00:54.256960+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2458841"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Composer. `Perforce::syncCodeBase()` appends the `$sourceReference` parameter to a shell command without proper escaping, allowing an attacker to inject arbitrary commands through a crafted source reference containing shell metacharacters.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "composer: command injection via malicious Perforce source reference/url",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This issue can be exploited via any package served by a compromised or malicious Composer repository when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. Exploitation results in arbitrary command execution. Due to these reasons, this flaw has been rated with an important severity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:composer-main@noarch",
"Red Hat Hardened Images:composer-main@src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-40261"
},
{
"category": "external",
"summary": "RHBZ#2458841",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2458841"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-40261",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40261"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-40261",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40261"
},
{
"category": "external",
"summary": "https://github.com/composer/composer/releases/tag/2.9.6",
"url": "https://github.com/composer/composer/releases/tag/2.9.6"
},
{
"category": "external",
"summary": "https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q",
"url": "https://github.com/composer/composer/security/advisories/GHSA-gqw4-4w2p-838q"
}
],
"release_date": "2026-04-15T20:56:32.182000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-14T17:59:27+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:composer-main@noarch",
"Red Hat Hardened Images:composer-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:8165"
},
{
"category": "workaround",
"details": "To mitigate this issue, only run Composer commands on projects and dependencies from trusted sources. Also, use the \u0027--prefer-dist\u0027 or the \u0027preferred-install: dist\u0027 configuration setting to prevent Composer from installing dependencies from source.",
"product_ids": [
"Red Hat Hardened Images:composer-main@noarch",
"Red Hat Hardened Images:composer-main@src"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:composer-main@noarch",
"Red Hat Hardened Images:composer-main@src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "composer: command injection via malicious Perforce source reference/url"
}
]
}
SUSE-SU-2026:0825-1
Vulnerability from csaf_suse - Published: 2026-03-05 15:16 - Updated: 2026-03-05 15:16Summary
Security update for php-composer2
Severity
Low
Notes
Title of the patch: Security update for php-composer2
Description of the patch: This update for php-composer2 fixes the following issues:
CVE-2025-67746: Fixed ANSI control characters injection in the terminal output of various Composer commands via attacker controlled remote sources. (bsc#1255768)
Patchnames: SUSE-2026-825,SUSE-SLE-Module-Web-Scripting-15-SP7-2026-825,openSUSE-SLE-15.6-2026-825
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.6.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.6.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
References
8 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "low"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for php-composer2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for php-composer2 fixes the following issues:\n\n CVE-2025-67746: Fixed ANSI control characters injection in the terminal output of various Composer commands via attacker controlled remote sources. (bsc#1255768)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-825,SUSE-SLE-Module-Web-Scripting-15-SP7-2026-825,openSUSE-SLE-15.6-2026-825",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_0825-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:0825-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20260825-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:0825-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-March/024634.html"
},
{
"category": "self",
"summary": "SUSE Bug 1255768",
"url": "https://bugzilla.suse.com/1255768"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-67746 page",
"url": "https://www.suse.com/security/cve/CVE-2025-67746/"
}
],
"title": "Security update for php-composer2",
"tracking": {
"current_release_date": "2026-03-05T15:16:16Z",
"generator": {
"date": "2026-03-05T15:16:16Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:0825-1",
"initial_release_date": "2026-03-05T15:16:16Z",
"revision_history": [
{
"date": "2026-03-05T15:16:16Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.6.4-150600.3.6.1.noarch",
"product": {
"name": "php-composer2-2.6.4-150600.3.6.1.noarch",
"product_id": "php-composer2-2.6.4-150600.3.6.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:15:sp7"
}
}
},
{
"category": "product_name",
"name": "openSUSE Leap 15.6",
"product": {
"name": "openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:leap:15.6"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.6.4-150600.3.6.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.6.1.noarch"
},
"product_reference": "php-composer2-2.6.4-150600.3.6.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 15 SP7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.6.4-150600.3.6.1.noarch as component of openSUSE Leap 15.6",
"product_id": "openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.6.1.noarch"
},
"product_reference": "php-composer2-2.6.4-150600.3.6.1.noarch",
"relates_to_product_reference": "openSUSE Leap 15.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-67746",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-67746"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.6.1.noarch",
"openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.6.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-67746",
"url": "https://www.suse.com/security/cve/CVE-2025-67746"
},
{
"category": "external",
"summary": "SUSE Bug 1255768 for CVE-2025-67746",
"url": "https://bugzilla.suse.com/1255768"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.6.1.noarch",
"openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.6.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Web and Scripting 15 SP7:php-composer2-2.6.4-150600.3.6.1.noarch",
"openSUSE Leap 15.6:php-composer2-2.6.4-150600.3.6.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-03-05T15:16:16Z",
"details": "low"
}
],
"title": "CVE-2025-67746"
}
]
}
SUSE-SU-2026:1970-1
Vulnerability from csaf_suse - Published: 2026-05-18 08:16 - Updated: 2026-05-18 08:16Summary
Security update for php-composer2
Severity
Important
Notes
Title of the patch: Security update for php-composer2
Description of the patch: This update for php-composer2 fixes the following issues
- CVE-2026-40176: command injection via malicious Perforce repository definition (bsc#1262254).
- CVE-2026-40261: command injection via malicious Perforce source reference/url (bsc#1262255).
Changes for php-composer2:
- version update to 2.2.27 (align with upstream LTS version)
* Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do
not cause issues (246f807b, 246f807b, 246f807b)
* Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)
* Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)
* Fixed issue handling paths with = in them on Windows (#11568)
- version 2.2.26 2025-12-30
* Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
- version 2.2.25 2024-12-11
* Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support
is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)
* Fixed issue on plugin upgrade when it defines multiple classes (#12226)
* Fixed duplicate errors appearing in the output depending on php settings (#12214)
* Fixed InstalledVersions returning duplicate data in some instances (#12225)
- version 2.2.24 2024-06-10
* Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
* Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
* Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
* Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
* Security: Fixed perforce argument escaping (3773f775)
* Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
* Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding
* conversion (3130a7455, 04a63b324)
- version 2.2.23 2024-02-08
* Security: Fixed code execution and possible privilege escalation via compromised vendor
dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
- version 2.2.22 2023-09-29
* Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP,
and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
* Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
* Fixed handling of broken junctions on windows (#11550)
* Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
* Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
* Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
* Fixed support for plugin classes being marked as readonly (#11404)
* Fixed GitHub rate limit reporting (#11366)
* Fixed issue displaying solver problems with branch names containing % signs (#11359)
- version 2.2.21 2023-02-15
* Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11326)
- version 2.2.20 2023-02-10
* Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when
running non-interactive (#11315)
- version 2.2.19 2023-02-04
* Fixed URL sanitizer to handle new GitHub personal access tokens format (#11137)
* Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#11229)
* Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#11037)
* Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0
- version 2.2.18 2022-08-20
* Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#10995)
* Fixed duplicate missing extension warnings being displayed (#10938)
* Fixed hg version detection (#10955)
* Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)
- version 2.2.17 2022-07-13
* Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target
directory is outside of CWD (#10935)
* Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if
not in allow-plugins, as they are anyway not loaded (#10928)
* Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
* Fixed support for disable_functions containing disk_free_space (#10936)
* Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)
- version 2.2.16 2022-07-05
* Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)
* Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but
plugins fully loaded (#10920)
* Fixed deprecation notice (#10921)
- version 2.2.15 2022-07-01
* Fixed support for cache-read-only where the filesystem is not writable (#10906)
* Fixed type error when using allow-plugins: true (#10909)
* Fixed @putenv scripts receiving arguments passed to the command (#10846)
* Fixed support for spaces in paths with binary proxies on Windows (#10836)
* Fixed type error in GitDownloader if branches cannot be listed (#10888)
* Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)
- version 2.2.14 2022-06-06
* Fixed handling of broken symlinks when checking whether a package is still installed (#6708)
* Fixed JSON schema regex pattern for name to be JS compatible (#10811)
* Fixed bin proxies to allow a proxy to include another one safely (#10823)
* Fixed gitlab-token JSON schema definition (#10800)
* Fixed openssl 3.x version parsing as it is now semver compliant
* Fixed type error when a json file cannot be read (#10818)
* Fixed parsing of multi-line arrays in funding.yml (#10784)
- version 2.2.13 2022-05-25
* Fixed invalid credentials loop when setting up GitLab token (#10748)
* Fixed PHP 8.2 deprecations (#10766)
* Fixed lock file changes being output even when the lock file creation is disabled
* Fixed race condition when multiple requests asking for auth on the same hostname fired concurrently (#10763)
* Fixed quoting of commas on Windows (#10775)
* Fixed issue installing path repos with a disabled symlink function (#10786)
- version 2.2.12 2022-04-13
* Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
* Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)
* Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)
* Fixed validate command checking the lock file even if the lock option is disabled (#10723)
- version 2.2.11 2022-04-01
* Added missing config.bitbucket-oauth in composer-schema.json
* Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#10682)
* Updated semver, jsonlint deps for minor fixes
* Fixed generation of autoload crashing if a package has a broken path (#10688)
* Removed dev-master=>dev-main alias from #10372 as it does not work when reloading from lock file and extracting dev deps (#10651)
- version 2.2.10 2022-03-29
* Fixed Bitbucket authorization detection due to API changes (#10657)
* Fixed validate command warning about dist/source keys if defined (#10655)
* Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)
- version 2.2.9 2022-03-15
* Fixed regression with plugins that modify install path of packages, see docs if you are authoring such a plugin (#10621)
- version 2.2.8 2022-03-15
* Fixed files autoloading sort order to be fully deterministic (#10617)
* Fixed pool optimization pass edge cases (#10579)
* Fixed require command failing when self.version is used as constraint (#10593)
* Fixed --no-ansi / undecorated output still showing color in repo warnings (#10601)
* Performance improvement in pool optimization step (composer/semver#131)
- version 2.2.7 2022-02-25
* Allow installation together with composer/xdebug-handler ^3 (#10528)
* Fixed support for packages with no licenses in licenses command output (#10537)
* Fixed handling of allow-plugins: false which kept warning (#10530)
* Fixed enum parsing in classmap generation when the enum keyword is not lowercased (#10521)
* Fixed author parsing in init command requiring an email whereas the schema allows a name only (#10538)
* Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) (#10541)
* Performance improvement in pool optimization step (#10546)
- version 2.2.6 2022-02-04
* BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries added in Composer 2.2.2 had to be renamed
to COMPOSER_RUNTIME_BIN_DIR (#10512)
* Fixed enum parsing in classmap generation with syntax like enum foo:string without space after : (#10498)
* Fixed package search not urlencoding the input (#10500)
* Fixed reinstall command not firing pre-install-cmd/post-install-cmd events (#10514)
* Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#10482)
* Fixed test suite compatibility with latest symfony/console releases (#10499)
* Fixed some error reporting edge cases (#10484, #10451, #10493)
- version 2.2.5 2022-01-21
* Disabled composer/package-versions-deprecated by default as it can function using Composer\InstalledVersions at runtime (#10458)
* Fixed artifact repositories crashing if a phar file was present in the directory (#10406)
* Fixed binary proxy issue on PHP <8 when fseek is used on the proxied binary path (#10468)
* Fixed handling of non-string versions in package repositories metadata (#10470)
- version 2.2.4 2022-01-08
* Fixed handling of process timeout when running async processes during installation
* Fixed GitLab API handling when projects have a repository disabled (#10440)
* Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#10434)
* Fixed partial update issues with path repos missing if a path repo is required by a path repo (#10431)
* Fixed support for sourcing binaries via the new bin proxies (#10389)
* Fixed messaging when GitHub tokens need SSO authorization (#10432)
Patchnames: SUSE-2026-1970,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1970
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
6.4 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
31 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for php-composer2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for php-composer2 fixes the following issues\n\n- CVE-2026-40176: command injection via malicious Perforce repository definition (bsc#1262254).\n- CVE-2026-40261: command injection via malicious Perforce source reference/url (bsc#1262255).\n\nChanges for php-composer2:\n\n- version update to 2.2.27 (align with upstream LTS version)\n * Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do\n not cause issues (246f807b, 246f807b, 246f807b)\n * Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)\n * Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)\n * Fixed issue handling paths with = in them on Windows (#11568)\n- version 2.2.26 2025-12-30\n * Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)\n- version 2.2.25 2024-12-11\n * Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support\n is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)\n * Fixed issue on plugin upgrade when it defines multiple classes (#12226)\n * Fixed duplicate errors appearing in the output depending on php settings (#12214)\n * Fixed InstalledVersions returning duplicate data in some instances (#12225)\n- version 2.2.24 2024-06-10\n * Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)\n * Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)\n * Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)\n * Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)\n * Security: Fixed perforce argument escaping (3773f775)\n * Security: Fixed handling of zip bombs when extracting archives (de5f7e32)\n * Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding\n * conversion (3130a7455, 04a63b324)\n- version 2.2.23 2024-02-08\n * Security: Fixed code execution and possible privilege escalation via compromised vendor\n dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)\n- version 2.2.22 2023-09-29\n * Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP,\n and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)\n * Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)\n * Fixed handling of broken junctions on windows (#11550)\n * Fixed loading of root aliases on path repo packages when doing partial updates (#11632)\n * Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)\n * Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)\n * Fixed support for plugin classes being marked as readonly (#11404)\n * Fixed GitHub rate limit reporting (#11366)\n * Fixed issue displaying solver problems with branch names containing % signs (#11359)\n- version 2.2.21 2023-02-15\n * Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11326)\n- version 2.2.20 2023-02-10\n * Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when\n running non-interactive (#11315)\n- version 2.2.19 2023-02-04\n * Fixed URL sanitizer to handle new GitHub personal access tokens format (#11137)\n * Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#11229)\n * Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#11037)\n * Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0\n- version 2.2.18 2022-08-20\n * Fixed COMPOSER_NO_DEV so it also works with require and remove\u0027s --update-no-dev (#10995)\n * Fixed duplicate missing extension warnings being displayed (#10938)\n * Fixed hg version detection (#10955)\n * Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)\n- version 2.2.17 2022-07-13\n * Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target\n directory is outside of CWD (#10935)\n * Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if\n not in allow-plugins, as they are anyway not loaded (#10928)\n * Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)\n * Fixed support for disable_functions containing disk_free_space (#10936)\n * Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)\n- version 2.2.16 2022-07-05\n * Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)\n * Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but\n plugins fully loaded (#10920)\n * Fixed deprecation notice (#10921)\n- version 2.2.15 2022-07-01\n * Fixed support for cache-read-only where the filesystem is not writable (#10906)\n * Fixed type error when using allow-plugins: true (#10909)\n * Fixed @putenv scripts receiving arguments passed to the command (#10846)\n * Fixed support for spaces in paths with binary proxies on Windows (#10836)\n * Fixed type error in GitDownloader if branches cannot be listed (#10888)\n * Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)\n- version 2.2.14 2022-06-06\n * Fixed handling of broken symlinks when checking whether a package is still installed (#6708)\n * Fixed JSON schema regex pattern for name to be JS compatible (#10811)\n * Fixed bin proxies to allow a proxy to include another one safely (#10823)\n * Fixed gitlab-token JSON schema definition (#10800)\n * Fixed openssl 3.x version parsing as it is now semver compliant\n * Fixed type error when a json file cannot be read (#10818)\n * Fixed parsing of multi-line arrays in funding.yml (#10784)\n- version 2.2.13 2022-05-25\n * Fixed invalid credentials loop when setting up GitLab token (#10748)\n * Fixed PHP 8.2 deprecations (#10766)\n * Fixed lock file changes being output even when the lock file creation is disabled\n * Fixed race condition when multiple requests asking for auth on the same hostname fired concurrently (#10763)\n * Fixed quoting of commas on Windows (#10775)\n * Fixed issue installing path repos with a disabled symlink function (#10786)\n- version 2.2.12 2022-04-13\n * Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)\n * Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)\n * Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)\n * Fixed validate command checking the lock file even if the lock option is disabled (#10723)\n- version 2.2.11 2022-04-01\n * Added missing config.bitbucket-oauth in composer-schema.json\n * Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#10682)\n * Updated semver, jsonlint deps for minor fixes\n * Fixed generation of autoload crashing if a package has a broken path (#10688)\n * Removed dev-master=\u003edev-main alias from #10372 as it does not work when reloading from lock file and extracting dev deps (#10651)\n- version 2.2.10 2022-03-29\n * Fixed Bitbucket authorization detection due to API changes (#10657)\n * Fixed validate command warning about dist/source keys if defined (#10655)\n * Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)\n- version 2.2.9 2022-03-15\n * Fixed regression with plugins that modify install path of packages, see docs if you are authoring such a plugin (#10621)\n- version 2.2.8 2022-03-15\n * Fixed files autoloading sort order to be fully deterministic (#10617)\n * Fixed pool optimization pass edge cases (#10579)\n * Fixed require command failing when self.version is used as constraint (#10593)\n * Fixed --no-ansi / undecorated output still showing color in repo warnings (#10601)\n * Performance improvement in pool optimization step (composer/semver#131)\n- version 2.2.7 2022-02-25\n * Allow installation together with composer/xdebug-handler ^3 (#10528)\n * Fixed support for packages with no licenses in licenses command output (#10537)\n * Fixed handling of allow-plugins: false which kept warning (#10530)\n * Fixed enum parsing in classmap generation when the enum keyword is not lowercased (#10521)\n * Fixed author parsing in init command requiring an email whereas the schema allows a name only (#10538)\n * Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) (#10541)\n * Performance improvement in pool optimization step (#10546)\n- version 2.2.6 2022-02-04\n * BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries added in Composer 2.2.2 had to be renamed\n to COMPOSER_RUNTIME_BIN_DIR (#10512)\n * Fixed enum parsing in classmap generation with syntax like enum foo:string without space after : (#10498)\n * Fixed package search not urlencoding the input (#10500)\n * Fixed reinstall command not firing pre-install-cmd/post-install-cmd events (#10514)\n * Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#10482)\n * Fixed test suite compatibility with latest symfony/console releases (#10499)\n * Fixed some error reporting edge cases (#10484, #10451, #10493)\n- version 2.2.5 2022-01-21\n * Disabled composer/package-versions-deprecated by default as it can function using Composer\\InstalledVersions at runtime (#10458)\n * Fixed artifact repositories crashing if a phar file was present in the directory (#10406)\n * Fixed binary proxy issue on PHP \u003c8 when fseek is used on the proxied binary path (#10468)\n * Fixed handling of non-string versions in package repositories metadata (#10470)\n- version 2.2.4 2022-01-08\n * Fixed handling of process timeout when running async processes during installation\n * Fixed GitLab API handling when projects have a repository disabled (#10440)\n * Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#10434)\n * Fixed partial update issues with path repos missing if a path repo is required by a path repo (#10431)\n * Fixed support for sourcing binaries via the new bin proxies (#10389)\n * Fixed messaging when GitHub tokens need SSO authorization (#10432)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1970,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1970",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1970-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1970-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261970-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1970-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046554.html"
},
{
"category": "self",
"summary": "SUSE Bug 1262254",
"url": "https://bugzilla.suse.com/1262254"
},
{
"category": "self",
"summary": "SUSE Bug 1262255",
"url": "https://bugzilla.suse.com/1262255"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-24828 page",
"url": "https://www.suse.com/security/cve/CVE-2022-24828/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-43655 page",
"url": "https://www.suse.com/security/cve/CVE-2023-43655/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-24821 page",
"url": "https://www.suse.com/security/cve/CVE-2024-24821/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35241 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35241/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35242 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35242/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-67746 page",
"url": "https://www.suse.com/security/cve/CVE-2025-67746/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40176 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40176/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40261 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40261/"
}
],
"title": "Security update for php-composer2",
"tracking": {
"current_release_date": "2026-05-18T08:16:15Z",
"generator": {
"date": "2026-05-18T08:16:15Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1970-1",
"initial_release_date": "2026-05-18T08:16:15Z",
"revision_history": [
{
"date": "2026-05-18T08:16:15Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.2.27-150400.3.18.1.noarch",
"product": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch",
"product_id": "php-composer2-2.2.27-150400.3.18.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24828",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-24828"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json\u0027s `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-24828",
"url": "https://www.suse.com/security/cve/CVE-2022-24828"
},
{
"category": "external",
"summary": "SUSE Bug 1198494 for CVE-2022-24828",
"url": "https://bugzilla.suse.com/1198494"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2022-24828"
},
{
"cve": "CVE-2023-43655",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-43655"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-43655",
"url": "https://www.suse.com/security/cve/CVE-2023-43655"
},
{
"category": "external",
"summary": "SUSE Bug 1215859 for CVE-2023-43655",
"url": "https://bugzilla.suse.com/1215859"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "moderate"
}
],
"title": "CVE-2023-43655"
},
{
"cve": "CVE-2024-24821",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-24821"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar\u0027s self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh\nrm vendor/composer/installed.php vendor/composer/InstalledVersions.php\ncomposer install --no-scripts --no-plugins\n```",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-24821",
"url": "https://www.suse.com/security/cve/CVE-2024-24821"
},
{
"category": "external",
"summary": "SUSE Bug 1219757 for CVE-2024-24821",
"url": "https://bugzilla.suse.com/1219757"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2024-24821"
},
{
"cve": "CVE-2024-35241",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35241"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35241",
"url": "https://www.suse.com/security/cve/CVE-2024-35241"
},
{
"category": "external",
"summary": "SUSE Bug 1226181 for CVE-2024-35241",
"url": "https://bugzilla.suse.com/1226181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2024-35241"
},
{
"cve": "CVE-2024-35242",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35242"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35242",
"url": "https://www.suse.com/security/cve/CVE-2024-35242"
},
{
"category": "external",
"summary": "SUSE Bug 1226182 for CVE-2024-35242",
"url": "https://bugzilla.suse.com/1226182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2024-35242"
},
{
"cve": "CVE-2025-67746",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-67746"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-67746",
"url": "https://www.suse.com/security/cve/CVE-2025-67746"
},
{
"category": "external",
"summary": "SUSE Bug 1255768 for CVE-2025-67746",
"url": "https://bugzilla.suse.com/1255768"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "low"
}
],
"title": "CVE-2025-67746"
},
{
"cve": "CVE-2026-40176",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40176"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40176",
"url": "https://www.suse.com/security/cve/CVE-2026-40176"
},
{
"category": "external",
"summary": "SUSE Bug 1262254 for CVE-2026-40176",
"url": "https://bugzilla.suse.com/1262254"
},
{
"category": "external",
"summary": "SUSE Bug 1262255 for CVE-2026-40176",
"url": "https://bugzilla.suse.com/1262255"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2026-40176"
},
{
"cve": "CVE-2026-40261",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40261"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40261",
"url": "https://www.suse.com/security/cve/CVE-2026-40261"
},
{
"category": "external",
"summary": "SUSE Bug 1262255 for CVE-2026-40261",
"url": "https://bugzilla.suse.com/1262255"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2026-40261"
}
]
}
SUSE-SU-2026:21542-1
Vulnerability from csaf_suse - Published: 2026-05-04 10:45 - Updated: 2026-05-04 10:45Summary
Security update for php-composer2
Severity
Important
Notes
Title of the patch: Security update for php-composer2
Description of the patch: This update for php-composer2 fixes the following issues:
- CVE-2025-67746: ANSI control characters injection in terminal output of various Composer commands via attacker
controlled remote sources (bsc#1255768).
- CVE-2026-40176: arbitrary command injection via malicious Perforce repository definition (bsc#1262254).
- CVE-2026-40261: arbitrary command injection via malicious Perforce source reference/url (bsc#1262255).
Patchnames: SUSE-SLES-16.0-672
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
7.8 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
16 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for php-composer2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for php-composer2 fixes the following issues:\n\n- CVE-2025-67746: ANSI control characters injection in terminal output of various Composer commands via attacker\n controlled remote sources (bsc#1255768).\n- CVE-2026-40176: arbitrary command injection via malicious Perforce repository definition (bsc#1262254).\n- CVE-2026-40261: arbitrary command injection via malicious Perforce source reference/url (bsc#1262255).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-672",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21542-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21542-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621542-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21542-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2026-May/025975.html"
},
{
"category": "self",
"summary": "SUSE Bug 1255768",
"url": "https://bugzilla.suse.com/1255768"
},
{
"category": "self",
"summary": "SUSE Bug 1262254",
"url": "https://bugzilla.suse.com/1262254"
},
{
"category": "self",
"summary": "SUSE Bug 1262255",
"url": "https://bugzilla.suse.com/1262255"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-67746 page",
"url": "https://www.suse.com/security/cve/CVE-2025-67746/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40176 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40176/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40261 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40261/"
}
],
"title": "Security update for php-composer2",
"tracking": {
"current_release_date": "2026-05-04T10:45:49Z",
"generator": {
"date": "2026-05-04T10:45:49Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21542-1",
"initial_release_date": "2026-05-04T10:45:49Z",
"revision_history": [
{
"date": "2026-05-04T10:45:49Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.8.9-160000.3.1.noarch",
"product": {
"name": "php-composer2-2.8.9-160000.3.1.noarch",
"product_id": "php-composer2-2.8.9-160000.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.8.9-160000.3.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch"
},
"product_reference": "php-composer2-2.8.9-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.8.9-160000.3.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch"
},
"product_reference": "php-composer2-2.8.9-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-67746",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-67746"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-67746",
"url": "https://www.suse.com/security/cve/CVE-2025-67746"
},
{
"category": "external",
"summary": "SUSE Bug 1255768 for CVE-2025-67746",
"url": "https://bugzilla.suse.com/1255768"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-04T10:45:49Z",
"details": "low"
}
],
"title": "CVE-2025-67746"
},
{
"cve": "CVE-2026-40176",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40176"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40176",
"url": "https://www.suse.com/security/cve/CVE-2026-40176"
},
{
"category": "external",
"summary": "SUSE Bug 1262254 for CVE-2026-40176",
"url": "https://bugzilla.suse.com/1262254"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-04T10:45:49Z",
"details": "important"
}
],
"title": "CVE-2026-40176"
},
{
"cve": "CVE-2026-40261",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40261"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40261",
"url": "https://www.suse.com/security/cve/CVE-2026-40261"
},
{
"category": "external",
"summary": "SUSE Bug 1262255 for CVE-2026-40261",
"url": "https://bugzilla.suse.com/1262255"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:php-composer2-2.8.9-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:php-composer2-2.8.9-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-04T10:45:49Z",
"details": "important"
}
],
"title": "CVE-2026-40261"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…