Composer · packagist.org
linhecheng/cmlphp
Php Remote Fetch Exec Combo: Remote fetch (file_get_contents/curl) paired with eval/exec — fetch-and-run pattern.
Why PkgRadar flagged v8.1.0
| Severity | Signal | Evidence |
|---|---|---|
| high | Php Remote Fetch Exec Combo | Remote fetch (file_get_contents/curl) paired with eval/exec — fetch-and-run pattern. · symfony-symfony-0989c36/.github/build-packages.php |
| medium | Composer Abandoned Package | Packagist marked this package abandoned — maintainer signaled it should not be used. |
| medium | Remote Payload | matched "cUrl " · symfony-symfony-0989c36/src/Symfony/Bundle/FrameworkBundle/Command/ConfigDebugCommand.php |
| medium | Remote Payload | matched "cUrl " · symfony-symfony-0989c36/src/Symfony/Bundle/FrameworkBundle/Command/ConfigDumpReferenceCommand.php |
| medium | Remote Payload | matched "cURL " · symfony-symfony-0989c36/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php |
| medium | Remote Payload | matched "iwr " · symfony-symfony-0989c36/src/Symfony/Component/Emoji/Resources/data/emoji-cy.php |
| medium | Remote Payload | matched "curl " · symfony-symfony-0989c36/src/Symfony/Component/HttpClient/DataCollector/HttpClientDataCollector.php |
| medium | Remote Payload | matched "curl " · symfony-symfony-0989c36/src/Symfony/Component/HttpClient/NativeHttpClient.php |
| medium | Remote Payload | matched "curl " · symfony-symfony-0989c36/src/Symfony/Component/HttpClient/Response/CurlResponse.php |
Scanned versions
| Version | Verdict | Score | Scanned (UTC) |
|---|---|---|---|
v8.1.0 | Review | 40 | 2026-05-29 |
v5.4.53 | Review | 54 | 2026-05-27 |
v6.4.41 | Review | 62 | 2026-05-27 |
Block this in CI
pkgradar gate --ecosystem composer linhecheng/[email protected]