PatchSiren cyber security CVE debrief
CVE-2026-59946 composer CVE debrief
A medium-severity vulnerability was found in Composer, a dependency manager for the PHP language. The issue occurs when a Composer package bin entry contains .. path segments, which can resolve outside the package install directory. This allows an attacker to cause Composer's binary installation flow to chmod an existing host file to a world-readable and world-executable mode during composer install, update, or require. The vulnerability is fixed in versions 2.2.29 and 2.10.2. Developers and administrators using Composer for dependency management in PHP projects should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- composer
- Product
- Unknown
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Developers and administrators using Composer for dependency management in PHP projects should be aware of this vulnerability and take steps to mitigate it. This includes updating to a patched version of Composer and reviewing package bin entries for potential vulnerabilities. Affected operator, platform, vulnerability-management, and security-team impact should be reviewed.
Technical summary
The vulnerability occurs when a Composer package bin entry contains .. path segments, allowing an attacker to resolve outside the package install directory. This can cause Composer's binary installation flow to chmod an existing host file to a world-readable and world-executable mode during composer install, update, or require. The issue is fixed in versions 2.2.29 and 2.10.2. Affected product deployments should be reviewed for potential exposure, and compensating controls should be considered while remediation is scheduled.
Defensive priority
Medium
Recommended defensive actions
- Update to a patched version of Composer (2.2.29 or 2.10.2)
- Review package bin entries for potential vulnerabilities
- Monitor for suspicious activity in Composer installations
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The vulnerability was reported in the NVD database and has a CVSS score of 6.1. The issue is fixed in versions 2.2.29 and 2.10.2 of Composer. To verify, defenders should review package bin entries for potential vulnerabilities and monitor for suspicious activity in Composer installations. Evidence is limited, and further verification is required to confirm affected scope and severity.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T20:16:59.707Z and has not been modified since then.