PT-2026-56551 · Composer · Composer
Published
2026-07-08
·
Updated
2026-07-08
·
CVE-2026-59948
CVSS v3.1
7.0
High
| Vector | AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project during install or update by using an invalid package name that is not correctly validated before dependency-resolution results are written or installed. This issue is fixed in versions 2.2.29 and 2.10.2.
Fix
Memory Corruption
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Composer