Remote File Write Vulnerability in Composer Dependency Manager by Composer
CVE-2026-59948

7HIGH

Key Information:

Vendor

Composer

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-59948?

Composer, a widely used dependency manager for PHP, possesses a vulnerability that allows malicious packages from untrusted repositories to manipulate files outside the intended vendor directory during installation or updates. This issue relates to the improper validation of package names prior to dependency resolution, potentially leading to unauthorized file creation in the project environment. Versions 2.2.29 and 2.10.2 address this security risk, and users are advised to update to mitigate potential impacts.

Affected Version(s)

composer >= 1.0, < 2.2.29 < 1.0, 2.2.29

composer >= 2.3.0, < 2.10.2 < 2.3.0, 2.10.2

References

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.