Path Traversal Vulnerability in Composer Dependency Manager
CVE-2026-59946

6.1MEDIUM

Key Information:

Vendor

Composer

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59946?

A vulnerability exists in Composer, a widely-used dependency manager for PHP, prior to versions 2.2.29 and 2.10.2. It involves a manipulation of package bin entries with '..' path segments that enables resolution outside the package install directory. This could lead to Composer's installation process changing the permissions of existing files on the host system, making them world-readable and world-executable during operations such as install, update, or require. Users are advised to upgrade to the patched versions for improved security.

Affected Version(s)

composer >= 1.0, < 2.2.29 < 1.0, 2.2.29

composer >= 2.3.0, < 2.10.2 < 2.3.0, 2.10.2

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.