Path Traversal Vulnerability in Composer Dependency Manager
CVE-2026-59946
6.1MEDIUM
What is CVE-2026-59946?
A vulnerability exists in Composer, a widely-used dependency manager for PHP, prior to versions 2.2.29 and 2.10.2. It involves a manipulation of package bin entries with '..' path segments that enables resolution outside the package install directory. This could lead to Composer's installation process changing the permissions of existing files on the host system, making them world-readable and world-executable during operations such as install, update, or require. Users are advised to upgrade to the patched versions for improved security.
Affected Version(s)
composer >= 1.0, < 2.2.29 < 1.0, 2.2.29
composer >= 2.3.0, < 2.10.2 < 2.3.0, 2.10.2
