Every CVE whose affected-product data names Getcomposer Composer, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (9)
CVE-2015-8371 — CVSS 8.8 (high): Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code…
CVE-2021-29472 — CVSS 8.8 (high): Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and package source download URLs are…
CVE-2024-24821 — CVSS 8.8 (high): Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included…
CVE-2026-40261 — CVSS 8.8 (high): Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in…
CVE-2022-24828 — CVSS 8.3 (high): Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can…
CVE-2021-41116 — CVSS 8.2 (high): Composer is an open source dependency manager for the PHP language. In affected versions windows users running Composer to install…
CVE-2026-40176 — CVSS 7.8 (high): Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in…
CVE-2023-43655 — CVSS 6.4 (medium): Composer is a dependency manager for PHP. Users publishing a composer.phar to a public web-accessible server where the composer.phar can be…
CVE-2025-67746 — CVSS 4.3 (medium): Composer is a dependency manager for PHP. In versions on the 2.x branch prior to 2.2.26 and 2.9.3, attackers controlling remote sources…