Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
PHP Composer Update Protects Against Malicious Terminal Output
SUSE-SU-2026:0825-1
Summary
This update for PHP Composer fixes a security issue where attackers could inject malicious characters into the terminal output of Composer commands. This could potentially lead to unauthorized actions or data exposure. Update your PHP Composer to the latest version to ensure you have the fix.
What to do
- Update php-composer2 to version 2.6.4-150600.3.6.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | php-composer2 | <= 2.6.4-150600.3.6.1 | 2.6.4-150600.3.6.1 |
| – | php-composer2 | <= 2.6.4-150600.3.6.1 | 2.6.4-150600.3.6.1 |
Original title
Security update for php-composer2
Original description
This update for php-composer2 fixes the following issues:
CVE-2025-67746: Fixed ANSI control characters injection in the terminal output of various Composer commands via attacker controlled remote sources. (bsc#1255768)
CVE-2025-67746: Fixed ANSI control characters injection in the terminal output of various Composer commands via attacker controlled remote sources. (bsc#1255768)
- https://www.suse.com/support/update/announcement/2026/suse-su-20260825-1/ Vendor Advisory
- https://bugzilla.suse.com/1255768 Third Party Advisory
- https://www.suse.com/security/cve/CVE-2025-67746 URL
Published: 5 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026