PT-2026-56551 · Composer · Composer

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-59948

CVSS v3.1

7.0

High

VectorAV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project during install or update by using an invalid package name that is not correctly validated before dependency-resolution results are written or installed. This issue is fixed in versions 2.2.29 and 2.10.2.

Fix

Memory Corruption

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-59948

Affected Products

Composer