PT-2026-56549 · Composer · Composer
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-59946
CVSS v3.1
6.1
Medium
| Vector | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N |
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and world-executable mode during composer install, update, or require. This issue is fixed in versions 2.2.29 and 2.10.2.
Fix
Path traversal
Incorrect Permission
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Composer