PatchSiren cyber security CVE debrief
CVE-2026-59948 composer CVE debrief
A vulnerability in Composer, a dependency manager for PHP, allows a malicious package from an untrusted repository to write attacker-controlled files outside the vendor directory and project during installation or update. This issue is fixed in versions 2.2.29 and 2.10.2. The vulnerability has a high CVSS score of 7 and is classified as HIGH severity. Developers using Composer for dependency management in PHP projects should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- composer
- Product
- Unknown
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Developers using Composer for dependency management in PHP projects should be aware of this vulnerability and take steps to mitigate it. This includes updating Composer to versions 2.2.29 or 2.10.2, or later, and verifying that only trusted repositories are used for package installations.
Technical summary
Prior to Composer versions 2.2.29 and 2.10.2, an attacker can exploit this vulnerability by using a maliciously crafted package from an untrusted repository, potentially leading to arbitrary file writes outside the vendor directory and project. The vulnerability is caused by an invalid package name that is not correctly validated before dependency-resolution results are written or installed. This issue allows attackers to write files outside the intended directories, potentially leading to code execution or other malicious activities. To mitigate this vulnerability, developers should update Composer to versions 2.2.29 or 2.10.2, or later, and ensure that only trusted repositories are used for package installations. Additionally, monitoring projects for suspicious activity and reviewing compensating controls for exposed systems can help prevent exploitation.
Defensive priority
High priority should be given to updating Composer to versions 2.2.29 or 2.10.2, or later, to prevent potential exploitation.
Recommended defensive actions
- Update Composer to version 2.2.29 or 2.10.2, or later.
- Verify that only trusted repositories are used for package installations.
- Monitor projects for any suspicious activity or unexpected file changes.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-08T20:16:59.980Z and was last modified on 2026-07-10T19:14:18.563Z. The NVD entry is currently Deferred. This information is based on the provided source corpus and may not reflect the current status of the vulnerability. Users should verify the information with the official CVE record and NVD entry for the most up-to-date details. The vulnerability affects Composer, a dependency manager for PHP, and allows a malicious package from an untrusted repository to write attacker-controlled files outside the vendor directory and project during installation or update.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T20:16:59.980Z and has not been modified since then. The NVD entry is currently Deferred.