CVE-2026-27968

Name of the Vulnerable Software and Affected Versions Packistry versions prior to 0.13.0

Description Packistry is a self-hosted Composer repository for PHP package distribution. Prior to version 0.13.0, the RepositoryAwareController::authorize() function did not enforce token expiration, allowing expired deploy tokens with the correct ability to access repository endpoints, such as Composer metadata and download APIs. The fix in version 0.13.0 adds an explicit expiration check to the authorize() function, and tests now verify that expired deploy tokens are rejected.

Recommendations Update to version 0.13.0 or later.