CVE-2026-59946

Summary

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and world-executable mode during composer install, update, or require. This issue is fixed in versions 2.2.29 and 2.10.2.

Affected Software

VendorProductVersion RangeStatus
composercomposer>= 1.0, < 2.2.29affected
composercomposer>= 2.3.0, < 2.10.2affected

Weaknesses

  • CWE-22: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-732: CWE-732: Incorrect Permission Assignment for Critical Resource

References