PatchSiren

composer CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH composer CVE published 2026-07-08

CVE-2026-59948

A vulnerability in Composer, a dependency manager for PHP, allows a malicious package from an untrusted repository to write attacker-controlled files outside the vendor directory and project during installation or update. This issue is fixed in versions 2.2.29 and 2.10.2. The vulnerability has a high CVSS score of 7 and is classified as HIGH severity. Developers using Composer for dependency management in [truncated]

MEDIUM composer CVE published 2026-07-08

CVE-2026-59947

CVE-2026-59947 is a medium-severity vulnerability in Composer, a dependency manager for PHP. When run with -vvv debug verbosity, Composer could print credentials embedded in repository or package URLs, such as GitHub Personal Access Tokens, to debug output. This issue was fixed in versions 2.2.29 and 2.10.2. The vulnerability affects developers using Composer for dependency management in PHP projects, who [truncated]