FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2026-04-16 08:20:54 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
5f608c68-276c-11ef-8caa-0897988a1c07	Composer -- Multiple command injections via malicious git/hg branch names Composer project reports: The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories. Discovery 2024-06-10 Entry 2024-06-10 php81-composer < 2.7.7 php82-composer < 2.7.7 php83-composer < 2.7.7 CVE-2024-35241 https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c CVE-2024-35242 https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf
7a7a17b2-381c-11f1-a663-10ffe07f9334	PHP Composer -- Multiple vulnerabilities Composer project reports: Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261) Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176) Discovery 2026-04-14 Entry 2026-04-14 php82-composer php83-composer php84-composer php85-composer < 2.9.6 CVE-2026-40261 CVE-2026-40176 https://github.com/composer/composer/releases/tag/2.9.6

VuXML ID

Description

5f608c68-276c-11ef-8caa-0897988a1c07

Composer -- Multiple command injections via malicious git/hg branch names

Composer project reports:

The status, reinstall and remove commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code.

The composer install command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories.

Discovery 2024-06-10
Entry 2024-06-10
php81-composer

< 2.7.7

php82-composer

< 2.7.7

php83-composer

< 2.7.7

CVE-2024-35241
https://github.com/composer/composer/security/advisories/GHSA-47f6-5gq3-vx9c
CVE-2024-35242
https://github.com/composer/composer/security/advisories/GHSA-v9qv-c7wm-wgmf

7a7a17b2-381c-11f1-a663-10ffe07f9334

PHP Composer -- Multiple vulnerabilities

Composer project reports:

Fixed command injection via malicious Perforce reference (GHSA-gqw4-4w2p-838q / CVE-2026-40261)

Fixed command injection via malicious Perforce repository definition (GHSA-wg36-wvj6-r67p / CVE-2026-40176)

Discovery 2026-04-14
Entry 2026-04-14
php82-composer
php83-composer
php84-composer
php85-composer

< 2.9.6

CVE-2026-40261
CVE-2026-40176
https://github.com/composer/composer/releases/tag/2.9.6