CVE-2026-27968

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Packistry versions prior to 0.13.0

Description Packistry is a self-hosted Composer repository for PHP package distribution. Prior to version 0.13.0, the RepositoryAwareController::authorize() function did not enforce token expiration, allowing expired deploy tokens with the correct ability to access repository endpoints, such as Composer metadata and download APIs. The fix in version 0.13.0 adds an explicit expiration check to the authorize() function, and tests now verify that expired deploy tokens are rejected.

Recommendations Update to version 0.13.0 or later.

Exploit

Fix

Insufficient Session Expiration

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613CWE-287

Related Identifiers

CVE-2026-27968

GHSA-4R9M-JP53-VGMW

Affected Products

Packistry

CVE-2026-27968

Weakness Enumeration

Related Identifiers

Affected Products

References · 8