← Back to CVE List
CVE-2026-59948NVD
Vulnerability Summary
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project during install or update by using an invalid package name that is not correctly validated before dependency-resolution results are written or installed. This issue is fixed in versions 2.2.29 and 2.10.2.
CVSS v3.1 Base Metrics
Attack VectorLocal
Attack ComplexityHigh
Privileges RequiredNone
User InteractionRequired
ScopeUnchanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
External References
- https://github.com/composer/composer/commit/502c6c4f699802d9cf464728b3e8a95674f919a0
- https://github.com/composer/composer/commit/c50b1efd13ebd73f6dca19b31424c5a02bf93cc1
- https://github.com/composer/composer/releases/tag/2.10.2
- https://github.com/composer/composer/releases/tag/2.2.29
- https://github.com/composer/composer/security/advisories/GHSA-499r-g7pc-vmp9