SUSE-SU-2026:1970-1
Vulnerability from csaf_suse - Published: 2026-05-18 08:16 - Updated: 2026-05-18 08:16Summary
Security update for php-composer2
Severity
Important
Notes
Title of the patch: Security update for php-composer2
Description of the patch: This update for php-composer2 fixes the following issues
- CVE-2026-40176: command injection via malicious Perforce repository definition (bsc#1262254).
- CVE-2026-40261: command injection via malicious Perforce source reference/url (bsc#1262255).
Changes for php-composer2:
- version update to 2.2.27 (align with upstream LTS version)
* Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do
not cause issues (246f807b, 246f807b, 246f807b)
* Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)
* Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)
* Fixed issue handling paths with = in them on Windows (#11568)
- version 2.2.26 2025-12-30
* Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)
- version 2.2.25 2024-12-11
* Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support
is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)
* Fixed issue on plugin upgrade when it defines multiple classes (#12226)
* Fixed duplicate errors appearing in the output depending on php settings (#12214)
* Fixed InstalledVersions returning duplicate data in some instances (#12225)
- version 2.2.24 2024-06-10
* Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)
* Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)
* Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)
* Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)
* Security: Fixed perforce argument escaping (3773f775)
* Security: Fixed handling of zip bombs when extracting archives (de5f7e32)
* Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding
* conversion (3130a7455, 04a63b324)
- version 2.2.23 2024-02-08
* Security: Fixed code execution and possible privilege escalation via compromised vendor
dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)
- version 2.2.22 2023-09-29
* Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP,
and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)
* Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)
* Fixed handling of broken junctions on windows (#11550)
* Fixed loading of root aliases on path repo packages when doing partial updates (#11632)
* Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)
* Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)
* Fixed support for plugin classes being marked as readonly (#11404)
* Fixed GitHub rate limit reporting (#11366)
* Fixed issue displaying solver problems with branch names containing % signs (#11359)
- version 2.2.21 2023-02-15
* Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11326)
- version 2.2.20 2023-02-10
* Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when
running non-interactive (#11315)
- version 2.2.19 2023-02-04
* Fixed URL sanitizer to handle new GitHub personal access tokens format (#11137)
* Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#11229)
* Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#11037)
* Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0
- version 2.2.18 2022-08-20
* Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#10995)
* Fixed duplicate missing extension warnings being displayed (#10938)
* Fixed hg version detection (#10955)
* Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)
- version 2.2.17 2022-07-13
* Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target
directory is outside of CWD (#10935)
* Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if
not in allow-plugins, as they are anyway not loaded (#10928)
* Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)
* Fixed support for disable_functions containing disk_free_space (#10936)
* Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)
- version 2.2.16 2022-07-05
* Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)
* Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but
plugins fully loaded (#10920)
* Fixed deprecation notice (#10921)
- version 2.2.15 2022-07-01
* Fixed support for cache-read-only where the filesystem is not writable (#10906)
* Fixed type error when using allow-plugins: true (#10909)
* Fixed @putenv scripts receiving arguments passed to the command (#10846)
* Fixed support for spaces in paths with binary proxies on Windows (#10836)
* Fixed type error in GitDownloader if branches cannot be listed (#10888)
* Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)
- version 2.2.14 2022-06-06
* Fixed handling of broken symlinks when checking whether a package is still installed (#6708)
* Fixed JSON schema regex pattern for name to be JS compatible (#10811)
* Fixed bin proxies to allow a proxy to include another one safely (#10823)
* Fixed gitlab-token JSON schema definition (#10800)
* Fixed openssl 3.x version parsing as it is now semver compliant
* Fixed type error when a json file cannot be read (#10818)
* Fixed parsing of multi-line arrays in funding.yml (#10784)
- version 2.2.13 2022-05-25
* Fixed invalid credentials loop when setting up GitLab token (#10748)
* Fixed PHP 8.2 deprecations (#10766)
* Fixed lock file changes being output even when the lock file creation is disabled
* Fixed race condition when multiple requests asking for auth on the same hostname fired concurrently (#10763)
* Fixed quoting of commas on Windows (#10775)
* Fixed issue installing path repos with a disabled symlink function (#10786)
- version 2.2.12 2022-04-13
* Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)
* Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)
* Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)
* Fixed validate command checking the lock file even if the lock option is disabled (#10723)
- version 2.2.11 2022-04-01
* Added missing config.bitbucket-oauth in composer-schema.json
* Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#10682)
* Updated semver, jsonlint deps for minor fixes
* Fixed generation of autoload crashing if a package has a broken path (#10688)
* Removed dev-master=>dev-main alias from #10372 as it does not work when reloading from lock file and extracting dev deps (#10651)
- version 2.2.10 2022-03-29
* Fixed Bitbucket authorization detection due to API changes (#10657)
* Fixed validate command warning about dist/source keys if defined (#10655)
* Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)
- version 2.2.9 2022-03-15
* Fixed regression with plugins that modify install path of packages, see docs if you are authoring such a plugin (#10621)
- version 2.2.8 2022-03-15
* Fixed files autoloading sort order to be fully deterministic (#10617)
* Fixed pool optimization pass edge cases (#10579)
* Fixed require command failing when self.version is used as constraint (#10593)
* Fixed --no-ansi / undecorated output still showing color in repo warnings (#10601)
* Performance improvement in pool optimization step (composer/semver#131)
- version 2.2.7 2022-02-25
* Allow installation together with composer/xdebug-handler ^3 (#10528)
* Fixed support for packages with no licenses in licenses command output (#10537)
* Fixed handling of allow-plugins: false which kept warning (#10530)
* Fixed enum parsing in classmap generation when the enum keyword is not lowercased (#10521)
* Fixed author parsing in init command requiring an email whereas the schema allows a name only (#10538)
* Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) (#10541)
* Performance improvement in pool optimization step (#10546)
- version 2.2.6 2022-02-04
* BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries added in Composer 2.2.2 had to be renamed
to COMPOSER_RUNTIME_BIN_DIR (#10512)
* Fixed enum parsing in classmap generation with syntax like enum foo:string without space after : (#10498)
* Fixed package search not urlencoding the input (#10500)
* Fixed reinstall command not firing pre-install-cmd/post-install-cmd events (#10514)
* Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#10482)
* Fixed test suite compatibility with latest symfony/console releases (#10499)
* Fixed some error reporting edge cases (#10484, #10451, #10493)
- version 2.2.5 2022-01-21
* Disabled composer/package-versions-deprecated by default as it can function using Composer\InstalledVersions at runtime (#10458)
* Fixed artifact repositories crashing if a phar file was present in the directory (#10406)
* Fixed binary proxy issue on PHP <8 when fseek is used on the proxied binary path (#10468)
* Fixed handling of non-string versions in package repositories metadata (#10470)
- version 2.2.4 2022-01-08
* Fixed handling of process timeout when running async processes during installation
* Fixed GitLab API handling when projects have a repository disabled (#10440)
* Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#10434)
* Fixed partial update issues with path repos missing if a path repo is required by a path repo (#10431)
* Fixed support for sourcing binaries via the new bin proxies (#10389)
* Fixed messaging when GitHub tokens need SSO authorization (#10432)
Patchnames: SUSE-2026-1970,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1970
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
6.4 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
low
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
7.8 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
31 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for php-composer2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for php-composer2 fixes the following issues\n\n- CVE-2026-40176: command injection via malicious Perforce repository definition (bsc#1262254).\n- CVE-2026-40261: command injection via malicious Perforce source reference/url (bsc#1262255).\n\nChanges for php-composer2:\n\n- version update to 2.2.27 (align with upstream LTS version)\n * Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do\n not cause issues (246f807b, 246f807b, 246f807b)\n * Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)\n * Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)\n * Fixed issue handling paths with = in them on Windows (#11568)\n- version 2.2.26 2025-12-30\n * Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)\n- version 2.2.25 2024-12-11\n * Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support\n is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)\n * Fixed issue on plugin upgrade when it defines multiple classes (#12226)\n * Fixed duplicate errors appearing in the output depending on php settings (#12214)\n * Fixed InstalledVersions returning duplicate data in some instances (#12225)\n- version 2.2.24 2024-06-10\n * Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)\n * Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)\n * Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)\n * Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)\n * Security: Fixed perforce argument escaping (3773f775)\n * Security: Fixed handling of zip bombs when extracting archives (de5f7e32)\n * Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding\n * conversion (3130a7455, 04a63b324)\n- version 2.2.23 2024-02-08\n * Security: Fixed code execution and possible privilege escalation via compromised vendor\n dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)\n- version 2.2.22 2023-09-29\n * Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP,\n and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)\n * Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)\n * Fixed handling of broken junctions on windows (#11550)\n * Fixed loading of root aliases on path repo packages when doing partial updates (#11632)\n * Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)\n * Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)\n * Fixed support for plugin classes being marked as readonly (#11404)\n * Fixed GitHub rate limit reporting (#11366)\n * Fixed issue displaying solver problems with branch names containing % signs (#11359)\n- version 2.2.21 2023-02-15\n * Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11326)\n- version 2.2.20 2023-02-10\n * Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when\n running non-interactive (#11315)\n- version 2.2.19 2023-02-04\n * Fixed URL sanitizer to handle new GitHub personal access tokens format (#11137)\n * Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#11229)\n * Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#11037)\n * Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0\n- version 2.2.18 2022-08-20\n * Fixed COMPOSER_NO_DEV so it also works with require and remove\u0027s --update-no-dev (#10995)\n * Fixed duplicate missing extension warnings being displayed (#10938)\n * Fixed hg version detection (#10955)\n * Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)\n- version 2.2.17 2022-07-13\n * Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target\n directory is outside of CWD (#10935)\n * Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if\n not in allow-plugins, as they are anyway not loaded (#10928)\n * Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)\n * Fixed support for disable_functions containing disk_free_space (#10936)\n * Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)\n- version 2.2.16 2022-07-05\n * Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)\n * Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but\n plugins fully loaded (#10920)\n * Fixed deprecation notice (#10921)\n- version 2.2.15 2022-07-01\n * Fixed support for cache-read-only where the filesystem is not writable (#10906)\n * Fixed type error when using allow-plugins: true (#10909)\n * Fixed @putenv scripts receiving arguments passed to the command (#10846)\n * Fixed support for spaces in paths with binary proxies on Windows (#10836)\n * Fixed type error in GitDownloader if branches cannot be listed (#10888)\n * Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)\n- version 2.2.14 2022-06-06\n * Fixed handling of broken symlinks when checking whether a package is still installed (#6708)\n * Fixed JSON schema regex pattern for name to be JS compatible (#10811)\n * Fixed bin proxies to allow a proxy to include another one safely (#10823)\n * Fixed gitlab-token JSON schema definition (#10800)\n * Fixed openssl 3.x version parsing as it is now semver compliant\n * Fixed type error when a json file cannot be read (#10818)\n * Fixed parsing of multi-line arrays in funding.yml (#10784)\n- version 2.2.13 2022-05-25\n * Fixed invalid credentials loop when setting up GitLab token (#10748)\n * Fixed PHP 8.2 deprecations (#10766)\n * Fixed lock file changes being output even when the lock file creation is disabled\n * Fixed race condition when multiple requests asking for auth on the same hostname fired concurrently (#10763)\n * Fixed quoting of commas on Windows (#10775)\n * Fixed issue installing path repos with a disabled symlink function (#10786)\n- version 2.2.12 2022-04-13\n * Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)\n * Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)\n * Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)\n * Fixed validate command checking the lock file even if the lock option is disabled (#10723)\n- version 2.2.11 2022-04-01\n * Added missing config.bitbucket-oauth in composer-schema.json\n * Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#10682)\n * Updated semver, jsonlint deps for minor fixes\n * Fixed generation of autoload crashing if a package has a broken path (#10688)\n * Removed dev-master=\u003edev-main alias from #10372 as it does not work when reloading from lock file and extracting dev deps (#10651)\n- version 2.2.10 2022-03-29\n * Fixed Bitbucket authorization detection due to API changes (#10657)\n * Fixed validate command warning about dist/source keys if defined (#10655)\n * Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)\n- version 2.2.9 2022-03-15\n * Fixed regression with plugins that modify install path of packages, see docs if you are authoring such a plugin (#10621)\n- version 2.2.8 2022-03-15\n * Fixed files autoloading sort order to be fully deterministic (#10617)\n * Fixed pool optimization pass edge cases (#10579)\n * Fixed require command failing when self.version is used as constraint (#10593)\n * Fixed --no-ansi / undecorated output still showing color in repo warnings (#10601)\n * Performance improvement in pool optimization step (composer/semver#131)\n- version 2.2.7 2022-02-25\n * Allow installation together with composer/xdebug-handler ^3 (#10528)\n * Fixed support for packages with no licenses in licenses command output (#10537)\n * Fixed handling of allow-plugins: false which kept warning (#10530)\n * Fixed enum parsing in classmap generation when the enum keyword is not lowercased (#10521)\n * Fixed author parsing in init command requiring an email whereas the schema allows a name only (#10538)\n * Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) (#10541)\n * Performance improvement in pool optimization step (#10546)\n- version 2.2.6 2022-02-04\n * BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries added in Composer 2.2.2 had to be renamed\n to COMPOSER_RUNTIME_BIN_DIR (#10512)\n * Fixed enum parsing in classmap generation with syntax like enum foo:string without space after : (#10498)\n * Fixed package search not urlencoding the input (#10500)\n * Fixed reinstall command not firing pre-install-cmd/post-install-cmd events (#10514)\n * Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#10482)\n * Fixed test suite compatibility with latest symfony/console releases (#10499)\n * Fixed some error reporting edge cases (#10484, #10451, #10493)\n- version 2.2.5 2022-01-21\n * Disabled composer/package-versions-deprecated by default as it can function using Composer\\InstalledVersions at runtime (#10458)\n * Fixed artifact repositories crashing if a phar file was present in the directory (#10406)\n * Fixed binary proxy issue on PHP \u003c8 when fseek is used on the proxied binary path (#10468)\n * Fixed handling of non-string versions in package repositories metadata (#10470)\n- version 2.2.4 2022-01-08\n * Fixed handling of process timeout when running async processes during installation\n * Fixed GitLab API handling when projects have a repository disabled (#10440)\n * Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#10434)\n * Fixed partial update issues with path repos missing if a path repo is required by a path repo (#10431)\n * Fixed support for sourcing binaries via the new bin proxies (#10389)\n * Fixed messaging when GitHub tokens need SSO authorization (#10432)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2026-1970,SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1970,SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1970,SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1970,SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1970",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_1970-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:1970-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-20261970-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:1970-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046554.html"
},
{
"category": "self",
"summary": "SUSE Bug 1262254",
"url": "https://bugzilla.suse.com/1262254"
},
{
"category": "self",
"summary": "SUSE Bug 1262255",
"url": "https://bugzilla.suse.com/1262255"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-24828 page",
"url": "https://www.suse.com/security/cve/CVE-2022-24828/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-43655 page",
"url": "https://www.suse.com/security/cve/CVE-2023-43655/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-24821 page",
"url": "https://www.suse.com/security/cve/CVE-2024-24821/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35241 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35241/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-35242 page",
"url": "https://www.suse.com/security/cve/CVE-2024-35242/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2025-67746 page",
"url": "https://www.suse.com/security/cve/CVE-2025-67746/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40176 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40176/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-40261 page",
"url": "https://www.suse.com/security/cve/CVE-2026-40261/"
}
],
"title": "Security update for php-composer2",
"tracking": {
"current_release_date": "2026-05-18T08:16:15Z",
"generator": {
"date": "2026-05-18T08:16:15Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:1970-1",
"initial_release_date": "2026-05-18T08:16:15Z",
"revision_history": [
{
"date": "2026-05-18T08:16:15Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "php-composer2-2.2.27-150400.3.18.1.noarch",
"product": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch",
"product_id": "php-composer2-2.2.27-150400.3.18.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-espos:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle_hpc-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product": {
"name": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles-ltss:15:sp5"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp4"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product": {
"name": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles_sap:15:sp5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server 15 SP4-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP4-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server 15 SP5-LTSS",
"product_id": "SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 15 SP5-LTSS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP4",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "php-composer2-2.2.27-150400.3.18.1.noarch as component of SUSE Linux Enterprise Server for SAP Applications 15 SP5",
"product_id": "SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
},
"product_reference": "php-composer2-2.2.27-150400.3.18.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP Applications 15 SP5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-24828",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-24828"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json\u0027s `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-24828",
"url": "https://www.suse.com/security/cve/CVE-2022-24828"
},
{
"category": "external",
"summary": "SUSE Bug 1198494 for CVE-2022-24828",
"url": "https://bugzilla.suse.com/1198494"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2022-24828"
},
{
"cve": "CVE-2023-43655",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-43655"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be subject to a remote code execution vulnerability if PHP also has `register_argc_argv` enabled in php.ini. Versions 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. Users are advised to upgrade. Users unable to upgrade should make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this is not best practice.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-43655",
"url": "https://www.suse.com/security/cve/CVE-2023-43655"
},
{
"category": "external",
"summary": "SUSE Bug 1215859 for CVE-2023-43655",
"url": "https://bugzilla.suse.com/1215859"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "moderate"
}
],
"title": "CVE-2023-43655"
},
{
"cve": "CVE-2024-24821",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-24821"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar\u0027s self-update. The following scenarios are of high risk: Composer being run with sudo, Pipelines which may execute Composer on untrusted projects, Shared environments with developers who run Composer individually on the same project. This vulnerability has been addressed in versions 2.7.0 and 2.2.23. It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: Remove all sudo composer privileges for all users to mitigate root privilege escalation, and avoid running Composer within an untrusted directory, or if needed, verify that the contents of `vendor/composer/InstalledVersions.php` and `vendor/composer/installed.php` do not include untrusted code. A reset can also be done on these files by the following:```sh\nrm vendor/composer/installed.php vendor/composer/InstalledVersions.php\ncomposer install --no-scripts --no-plugins\n```",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-24821",
"url": "https://www.suse.com/security/cve/CVE-2024-24821"
},
{
"category": "external",
"summary": "SUSE Bug 1219757 for CVE-2024-24821",
"url": "https://bugzilla.suse.com/1219757"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2024-24821"
},
{
"cve": "CVE-2024-35241",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35241"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. Patches for this issue are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35241",
"url": "https://www.suse.com/security/cve/CVE-2024-35241"
},
{
"category": "external",
"summary": "SUSE Bug 1226181 for CVE-2024-35241",
"url": "https://bugzilla.suse.com/1226181"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2024-35241"
},
{
"cve": "CVE-2024-35242",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-35242"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. On the 2.x branch prior to versions 2.2.24 and 2.7.7, the `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. This requires cloning untrusted repositories. Patches are available in version 2.2.24 for 2.2 LTS or 2.7.7 for mainline. As a workaround, avoid cloning potentially compromised repositories.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-35242",
"url": "https://www.suse.com/security/cve/CVE-2024-35242"
},
{
"category": "external",
"summary": "SUSE Bug 1226182 for CVE-2024-35242",
"url": "https://bugzilla.suse.com/1226182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2024-35242"
},
{
"cve": "CVE-2025-67746",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2025-67746"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources that Composer downloads from might in some way inject ANSI control characters in the terminal output of various Composer commands, causing mangled output and potentially leading to confusion or DoS of the terminal application. There is no proven exploit and this has thus a low severity but we still publish a CVE as it has potential for abuse, and we want to be on the safe side informing users that they should upgrade. Versions 2.2.26 and 2.9.3 contain a patch for the issue.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2025-67746",
"url": "https://www.suse.com/security/cve/CVE-2025-67746"
},
{
"category": "external",
"summary": "SUSE Bug 1255768 for CVE-2025-67746",
"url": "https://bugzilla.suse.com/1255768"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "low"
}
],
"title": "CVE-2025-67746"
},
{
"cve": "CVE-2026-40176",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40176"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::generateP4Command() method, which constructs shell commands by interpolating user-supplied Perforce connection parameters (port, user, client) without proper escaping. An attacker can inject arbitrary commands through these values in a malicious composer.json declaring a Perforce VCS repository, leading to command execution in the context of the user running Composer, even if Perforce is not installed. VCS repositories are only loaded from the root composer.json or the composer config directory, so this cannot be exploited through composer.json files of packages installed as dependencies. Users are at risk if they run Composer commands on untrusted projects with attacker-supplied composer.json files. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40176",
"url": "https://www.suse.com/security/cve/CVE-2026-40176"
},
{
"category": "external",
"summary": "SUSE Bug 1262254 for CVE-2026-40176",
"url": "https://bugzilla.suse.com/1262254"
},
{
"category": "external",
"summary": "SUSE Bug 1262255 for CVE-2026-40176",
"url": "https://bugzilla.suse.com/1262255"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2026-40176"
},
{
"cve": "CVE-2026-40261",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-40261"
}
],
"notes": [
{
"category": "general",
"text": "Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase() method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the Perforce::generateP4Command() method as in GHSA-wg36-wvj6-r67p / CVE-2026-40176, which interpolates user-supplied Perforce connection parameters (port, user, client) from the source url field without proper escaping. An attacker can inject arbitrary commands through crafted source reference or source url values containing shell metacharacters, even if Perforce is not installed. Unlike CVE-2026-40176, the source reference and url are provided as part of package metadata, meaning any compromised or malicious Composer repository can serve package metadata declaring perforce as a source type with malicious values. This vulnerability is exploitable when installing or updating dependencies from source, including the default behavior when installing dev-prefixed versions. This issue has been fixed in Composer 2.2.27 (2.2 LTS) and 2.9.6 (mainline). If developers are unable to immediately update, they can avoid installing dependencies from source by using --prefer-dist or the preferred-install: dist config setting, and only use trusted Composer repositories as a workaround.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-40261",
"url": "https://www.suse.com/security/cve/CVE-2026-40261"
},
{
"category": "external",
"summary": "SUSE Bug 1262255 for CVE-2026-40261",
"url": "https://bugzilla.suse.com/1262255"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP4-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server 15 SP5-LTSS:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP4:php-composer2-2.2.27-150400.3.18.1.noarch",
"SUSE Linux Enterprise Server for SAP Applications 15 SP5:php-composer2-2.2.27-150400.3.18.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T08:16:15Z",
"details": "important"
}
],
"title": "CVE-2026-40261"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…