Remote File Write Vulnerability in Composer Dependency Manager by Composer
CVE-2026-59948
7HIGH
What is CVE-2026-59948?
Composer, a widely used dependency manager for PHP, possesses a vulnerability that allows malicious packages from untrusted repositories to manipulate files outside the intended vendor directory during installation or updates. This issue relates to the improper validation of package names prior to dependency resolution, potentially leading to unauthorized file creation in the project environment. Versions 2.2.29 and 2.10.2 address this security risk, and users are advised to update to mitigate potential impacts.
Affected Version(s)
composer >= 1.0, < 2.2.29 < 1.0, 2.2.29
composer >= 2.3.0, < 2.10.2 < 2.3.0, 2.10.2
