PT-2026-56549 · Composer · Composer

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-59946

CVSS v3.1

6.1

Medium

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and world-executable mode during composer install, update, or require. This issue is fixed in versions 2.2.29 and 2.10.2.

Fix

Path traversal

Incorrect Permission

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59946

Affected Products

Composer