Unrated severityOSV Advisory· Published Jul 10, 2026
Debian composer: Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.…
CVE-2026-59946
Description
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and world-executable mode during composer install, update, or require. This issue is fixed in versions 2.2.29 and 2.10.2.
Affected products
3Patches
Vulnerability mechanics
News mentions
0No linked articles in our index yet.