Composer
This hub aggregates every CVE we track for Composer, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.
14
CVEs tracked
0
Critical
10
High
0
In CISA KEV
Severity distribution
HIGH10MEDIUM4
Monthly trend
0
0
0
0
0
0
0
0
0
1
0
0
0
0
0
0
1
0
0
0
2
0
1
0
2024-082026-07
Latest CVEs
The 14 most recently published vulnerabilities affecting Composer.
- CVE-2026-10043MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability7.8
- CVE-2026-40261Composer has Command Injection via Malicious Perforce Reference8.8
- CVE-2026-40176Composer is vulnerable to Command Injection via Malicious Perforce Repository7.8
- CVE-2025-67746Composer vulnerable to ANSI sequence injection4.3
- CVE-2025-3510tagDiv Composer <= 5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes6.4
- CVE-2024-35242Composer vulnerable to command injection via malicious git/hg branch names8.8
- CVE-2024-35241Composer vulnerable to command injection via malicious git branch name8.8
- CVE-2024-24821Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php in Composer8.8
- CVE-2023-43655Remote Code Execution via web-accessible composer.phar6.4
- CVE-2015-8371Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because...8.8
- CVE-2023-1596tagDiv Composer < 4.0 - Reflected Cross-site Scripting6.1
- CVE-2022-24828Missing input validation can lead to command execution in composer8.3
- CVE-2021-41116Command injection in composer on Windows8.2
- CVE-2021-29472Missing argument delimiter can lead to code execution via VCS repository URLs or source download URLs on systems with Mercurial in composer8.8
Product normalization is registry-driven with AI assist and human review. How it works