Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
PHP Composer update fixes terminal code injection risk
Summary
This update fixes a security risk in PHP Composer, a popular tool for managing dependencies in PHP projects. If exploited, an attacker could inject malicious code into the terminal output of Composer commands. To stay secure, update your PHP Composer installation to the latest version.
What to do
- Update php-composer2 to version 2.6.4-150600.3.6.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | php-composer2 | <= 2.6.4-150600.3.6.1 | 2.6.4-150600.3.6.1 |
| – | php-composer2 | <= 2.6.4-150600.3.6.1 | 2.6.4-150600.3.6.1 |
Original title
Security update for php-composer2
Original description
This update for php-composer2 fixes the following issues:
CVE-2025-67746: Fixed ANSI control characters injection in the terminal output of various Composer commands via attacker controlled remote sources. (bsc#1255768)
CVE-2025-67746: Fixed ANSI control characters injection in the terminal output of various Composer commands via attacker controlled remote sources. (bsc#1255768)
- https://www.suse.com/support/update/announcement/2026/suse-su-20260825-1/ Vendor Advisory
- https://bugzilla.suse.com/1255768 Third Party Advisory
- https://www.suse.com/security/cve/CVE-2025-67746 URL
Published: 5 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026