composer/composer is vulnerable to arbitrary command execution. A missing argument delimiter allows an attacker to inject and execute arbitrary commands via VCS repository URLs or source download URLs on systems with Mercurial.
getcomposer.org/
github.com/composer/composer/security/advisories/GHSA-h5h8-pc6h-jvvx
lists.debian.org/debian-lts-announce/2021/05/msg00009.html
lists.fedoraproject.org/archives/list/[email protected]/message/FAQUAMGO4Q4BLNZ2OH4CXQD7UK4IO2GE/
lists.fedoraproject.org/archives/list/[email protected]/message/KN3DMFH42BJW45VT6FYF2RXKC26D6VC2/
www.debian.org/security/2021/dsa-4907