CVE-2026-59948 in Composerinfo

Zusammenfassung

von MITRE • 08.07.2026

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a maliciously crafted package from an untrusted repository other than Packagist.org or Private Packagist can cause Composer to write attacker-controlled files outside the vendor directory and outside the project during install or update by using an invalid package name that is not correctly validated before dependency-resolution results are written or installed. This issue is fixed in versions 2.2.29 and 2.10.2.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Zuständig

GitHub M

Reservieren

07.07.2026

Veröffentlichung

08.07.2026

Moderieren

akzeptiert

Eintrag

VDB-377009

CPE

bereit

EPSS

0.00000

KEV

nein

Aktivitäten

very low

Quellen

Do you know our Splunk app?

Download it now for free!