<div class="container">
<h1>Security update for php-composer2</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:1970-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-05-18T08:16:20Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1262254">bsc#1262254</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1262255">bsc#1262255</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2022-24828.html">CVE-2022-24828</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-43655.html">CVE-2023-43655</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-24821.html">CVE-2024-24821</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-35241.html">CVE-2024-35241</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2024-35242.html">CVE-2024-35242</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-67746.html">CVE-2025-67746</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-40176.html">CVE-2026-40176</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-40261.html">CVE-2026-40261</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-24828</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.0</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2022-24828</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-43655</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-43655</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-43655</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-24821</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-24821</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-35241</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-35241</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-35242</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2024-35242</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-67746</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">2.0</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-67746</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">3.3</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-67746</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">1.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-67746</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">4.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-40176</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-40176</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-40261</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-40261</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">8.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">openSUSE Leap 15.4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves eight vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for php-composer2 fixes the following issues</p>
<ul>
<li>CVE-2026-40176: command injection via malicious Perforce repository definition (bsc#1262254).</li>
<li>CVE-2026-40261: command injection via malicious Perforce source reference/url (bsc#1262255).</li>
</ul>
<p>Changes for php-composer2:</p>
<ul>
<li>version update to 2.2.27 (align with upstream LTS version)</li>
<li>Security: Hardened git/hg/perforce/fossil identifier validation to ensure branch names starting with - do
not cause issues (246f807b, 246f807b, 246f807b)</li>
<li>Security: Fixed Perforce unescaped user input in queryP4User shell command (246f807b)</li>
<li>Security: Fixed usage of insecure 3DES ciphers when ext-curl is missing (21ffece62)</li>
<li>Fixed issue handling paths with = in them on Windows (#11568)</li>
<li>version 2.2.26 2025-12-30</li>
<li>Security: Fixed ANSI sequence injection (GHSA-59pp-r3rg-353g / CVE-2025-67746)</li>
<li>version 2.2.25 2024-12-11</li>
<li>Fixed deprecation notices appearing on this LTS version in case it is used on modern PHP. Modern PHP support
is not guaranteed nor tested for though and the main purpose of LTS releases is legacy PHP versions support. (#12217)</li>
<li>Fixed issue on plugin upgrade when it defines multiple classes (#12226)</li>
<li>Fixed duplicate errors appearing in the output depending on php settings (#12214)</li>
<li>Fixed InstalledVersions returning duplicate data in some instances (#12225)</li>
<li>version 2.2.24 2024-06-10</li>
<li>Security: Fixed command injection via malicious git branch name (GHSA-47f6-5gq3-vx9c / CVE-2024-35241)</li>
<li>Security: Fixed multiple command injections via malicious git/hg branch names (GHSA-v9qv-c7wm-wgmf / CVE-2024-35242)</li>
<li>Security: Fixed secure-http checks that could be bypassed by using malformed URL formats (fa3b9582c)</li>
<li>Security: Fixed Filesystem::isLocalPath including windows-specific checks on linux (3c37a67c)</li>
<li>Security: Fixed perforce argument escaping (3773f775)</li>
<li>Security: Fixed handling of zip bombs when extracting archives (de5f7e32)</li>
<li>Security: Fixed Windows command parameter escaping to prevent abuse of unicode characters with best fit encoding</li>
<li>conversion (3130a7455, 04a63b324)</li>
<li>version 2.2.23 2024-02-08</li>
<li>Security: Fixed code execution and possible privilege escalation via compromised vendor
dir contents (GHSA-7c6p-848j-wh5h / CVE-2024-24821)</li>
<li>version 2.2.22 2023-09-29</li>
<li>Security: Fixed possible remote code execution vulnerability if composer.phar is publicly accessible, executable as PHP,
and register_argc_argv is enabled in php.ini (GHSA-jm6m-4632-36hf / CVE-2023-43655)</li>
<li>Fixed authentication issue when downloading several files from private Bitbucket in parallel (#11464)</li>
<li>Fixed handling of broken junctions on windows (#11550)</li>
<li>Fixed loading of root aliases on path repo packages when doing partial updates (#11632)</li>
<li>Fixed parsing of lib-curl-openssl version with OSX SecureTransport (#11534)</li>
<li>Fixed binary proxies not being transparent when included by another PHP process and returning a value (#11454)</li>
<li>Fixed support for plugin classes being marked as readonly (#11404)</li>
<li>Fixed GitHub rate limit reporting (#11366)</li>
<li>Fixed issue displaying solver problems with branch names containing % signs (#11359)</li>
<li>version 2.2.21 2023-02-15</li>
<li>Fixed extra.plugin-optional support in PluginInstaller when doing pre-install checks (#11326)</li>
<li>version 2.2.20 2023-02-10</li>
<li>Added extra.plugin-optional support for allow auto-disabling unknown plugins which are not critical when
running non-interactive (#11315)</li>
<li>version 2.2.19 2023-02-04</li>
<li>Fixed URL sanitizer to handle new GitHub personal access tokens format (#11137)</li>
<li>Fixed cache keys to allow _ to avoid conflicts between package names like a-b and a_b (#11229)</li>
<li>Fixed handling of --ignore-platform-req with upper-bound ignores to not apply to conflict rules (#11037)</li>
<li>Fixed handling of COMPOSER_DISCARD_CHANGES when set to 0</li>
<li>version 2.2.18 2022-08-20</li>
<li>Fixed COMPOSER_NO_DEV so it also works with require and remove's --update-no-dev (#10995)</li>
<li>Fixed duplicate missing extension warnings being displayed (#10938)</li>
<li>Fixed hg version detection (#10955)</li>
<li>Fixed git cache invalidation issue when a git tag gets created after the cache has loaded a given reference (#11004)</li>
<li>version 2.2.17 2022-07-13</li>
<li>Fixed plugins from CWD/vendor being loaded in some cases like create-project or validate even though the target
directory is outside of CWD (#10935)</li>
<li>Fixed support for legacy (Composer 1.x, e.g. hirak/prestissimo) plugins which will not warn/error anymore if
not in allow-plugins, as they are anyway not loaded (#10928)</li>
<li>Fixed pre-install check for allowed plugins not taking --no-plugins into account (#10925)</li>
<li>Fixed support for disable_functions containing disk_free_space (#10936)</li>
<li>Fixed RootPackageRepository usages to always clone the root package to avoid interoperability issues with plugins (#10940)</li>
<li>version 2.2.16 2022-07-05</li>
<li>Fixed non-interactive behavior of allow-plugins to throw instead of continue with a warning to avoid broken installs (#10920)</li>
<li>Fixed allow-plugins BC mode to ensure old lock files created pre-2.2 can be installed with only a warning but
plugins fully loaded (#10920)</li>
<li>Fixed deprecation notice (#10921)</li>
<li>version 2.2.15 2022-07-01</li>
<li>Fixed support for cache-read-only where the filesystem is not writable (#10906)</li>
<li>Fixed type error when using allow-plugins: true (#10909)</li>
<li>Fixed @putenv scripts receiving arguments passed to the command (#10846)</li>
<li>Fixed support for spaces in paths with binary proxies on Windows (#10836)</li>
<li>Fixed type error in GitDownloader if branches cannot be listed (#10888)</li>
<li>Fixed RootPackageInterface issue on PHP 5.3.3 (#10895)</li>
<li>version 2.2.14 2022-06-06</li>
<li>Fixed handling of broken symlinks when checking whether a package is still installed (#6708)</li>
<li>Fixed JSON schema regex pattern for name to be JS compatible (#10811)</li>
<li>Fixed bin proxies to allow a proxy to include another one safely (#10823)</li>
<li>Fixed gitlab-token JSON schema definition (#10800)</li>
<li>Fixed openssl 3.x version parsing as it is now semver compliant</li>
<li>Fixed type error when a json file cannot be read (#10818)</li>
<li>Fixed parsing of multi-line arrays in funding.yml (#10784)</li>
<li>version 2.2.13 2022-05-25</li>
<li>Fixed invalid credentials loop when setting up GitLab token (#10748)</li>
<li>Fixed PHP 8.2 deprecations (#10766)</li>
<li>Fixed lock file changes being output even when the lock file creation is disabled</li>
<li>Fixed race condition when multiple requests asking for auth on the same hostname fired concurrently (#10763)</li>
<li>Fixed quoting of commas on Windows (#10775)</li>
<li>Fixed issue installing path repos with a disabled symlink function (#10786)</li>
<li>version 2.2.12 2022-04-13</li>
<li>Security: Fixed command injection vulnerability in HgDriver/GitDriver (GHSA-x7cr-6qr6-2hh6 / CVE-2022-24828)</li>
<li>Fixed curl downloader not retrying when a DNS resolution failure occurs (#10716)</li>
<li>Fixed composer.lock file still being used/read when the lock config option is disabled (#10726)</li>
<li>Fixed validate command checking the lock file even if the lock option is disabled (#10723)</li>
<li>version 2.2.11 2022-04-01</li>
<li>Added missing config.bitbucket-oauth in composer-schema.json</li>
<li>Added --2.2 flag to self-update to pin the Composer version to the 2.2 LTS range (#10682)</li>
<li>Updated semver, jsonlint deps for minor fixes</li>
<li>Fixed generation of autoload crashing if a package has a broken path (#10688)</li>
<li>Removed dev-master=>dev-main alias from #10372 as it does not work when reloading from lock file and extracting dev deps (#10651)</li>
<li>version 2.2.10 2022-03-29</li>
<li>Fixed Bitbucket authorization detection due to API changes (#10657)</li>
<li>Fixed validate command warning about dist/source keys if defined (#10655)</li>
<li>Fixed deletion/handling of corrupted 0-bytes zip archives (#10666)</li>
<li>version 2.2.9 2022-03-15</li>
<li>Fixed regression with plugins that modify install path of packages, see docs if you are authoring such a plugin (#10621)</li>
<li>version 2.2.8 2022-03-15</li>
<li>Fixed files autoloading sort order to be fully deterministic (#10617)</li>
<li>Fixed pool optimization pass edge cases (#10579)</li>
<li>Fixed require command failing when self.version is used as constraint (#10593)</li>
<li>Fixed --no-ansi / undecorated output still showing color in repo warnings (#10601)</li>
<li>Performance improvement in pool optimization step (composer/semver#131)</li>
<li>version 2.2.7 2022-02-25</li>
<li>Allow installation together with composer/xdebug-handler ^3 (#10528)</li>
<li>Fixed support for packages with no licenses in licenses command output (#10537)</li>
<li>Fixed handling of allow-plugins: false which kept warning (#10530)</li>
<li>Fixed enum parsing in classmap generation when the enum keyword is not lowercased (#10521)</li>
<li>Fixed author parsing in init command requiring an email whereas the schema allows a name only (#10538)</li>
<li>Fixed issues in require command when requiring packages which do not exist (but are provided by something else you require) (#10541)</li>
<li>Performance improvement in pool optimization step (#10546)</li>
<li>version 2.2.6 2022-02-04</li>
<li>BC Break: due to an oversight, the COMPOSER_BIN_DIR env var for binaries added in Composer 2.2.2 had to be renamed
to COMPOSER_RUNTIME_BIN_DIR (#10512)</li>
<li>Fixed enum parsing in classmap generation with syntax like enum foo:string without space after : (#10498)</li>
<li>Fixed package search not urlencoding the input (#10500)</li>
<li>Fixed reinstall command not firing pre-install-cmd/post-install-cmd events (#10514)</li>
<li>Fixed edge case in path repositories where a symlink: true option would be ignored on old Windows and old PHP combos (#10482)</li>
<li>Fixed test suite compatibility with latest symfony/console releases (#10499)</li>
<li>Fixed some error reporting edge cases (#10484, #10451, #10493)</li>
<li>version 2.2.5 2022-01-21</li>
<li>Disabled composer/package-versions-deprecated by default as it can function using Composer\InstalledVersions at runtime (#10458)</li>
<li>Fixed artifact repositories crashing if a phar file was present in the directory (#10406)</li>
<li>Fixed binary proxy issue on PHP <8 when fseek is used on the proxied binary path (#10468)</li>
<li>Fixed handling of non-string versions in package repositories metadata (#10470)</li>
<li>version 2.2.4 2022-01-08</li>
<li>Fixed handling of process timeout when running async processes during installation</li>
<li>Fixed GitLab API handling when projects have a repository disabled (#10440)</li>
<li>Fixed reading of environment variables (e.g. APPDATA) containing unicode characters to workaround a PHP bug on Windows (#10434)</li>
<li>Fixed partial update issues with path repos missing if a path repo is required by a path repo (#10431)</li>
<li>Fixed support for sourcing binaries via the new bin proxies (#10389)</li>
<li>Fixed messaging when GitHub tokens need SSO authorization (#10432)</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.4
<br/>
<code>zypper in -t patch SUSE-2026-1970=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-1970=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-1970=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-1970=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-1970=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP4 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-1970=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP5 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-1970=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-1970=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-1970=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.4 (noarch)
<ul>
<li>php-composer2-2.2.27-150400.3.18.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch)
<ul>
<li>php-composer2-2.2.27-150400.3.18.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch)
<ul>
<li>php-composer2-2.2.27-150400.3.18.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
<ul>
<li>php-composer2-2.2.27-150400.3.18.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
<ul>
<li>php-composer2-2.2.27-150400.3.18.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
<ul>
<li>php-composer2-2.2.27-150400.3.18.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
<ul>
<li>php-composer2-2.2.27-150400.3.18.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
<ul>
<li>php-composer2-2.2.27-150400.3.18.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
<ul>
<li>php-composer2-2.2.27-150400.3.18.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2022-24828.html">https://www.suse.com/security/cve/CVE-2022-24828.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-43655.html">https://www.suse.com/security/cve/CVE-2023-43655.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-24821.html">https://www.suse.com/security/cve/CVE-2024-24821.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-35241.html">https://www.suse.com/security/cve/CVE-2024-35241.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2024-35242.html">https://www.suse.com/security/cve/CVE-2024-35242.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-67746.html">https://www.suse.com/security/cve/CVE-2025-67746.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-40176.html">https://www.suse.com/security/cve/CVE-2026-40176.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-40261.html">https://www.suse.com/security/cve/CVE-2026-40261.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1262254">https://bugzilla.suse.com/show_bug.cgi?id=1262254</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1262255">https://bugzilla.suse.com/show_bug.cgi?id=1262255</a>
</li>
</ul>
</div>