A vulnerability in Composer, a dependency manager for PHP, allows a malicious package from an untrusted repository to write attacker-controlled files outside the vendor directory and project during installation or update. This issue is fixed in versions 2.2.29 and 2.10.2. The vulnerability has a high CVSS score of 7 and is classified as HIGH severity. Developers using Composer for dependency management in [truncated]
CVE-2026-59947 is a medium-severity vulnerability in Composer, a dependency manager for PHP. When run with -vvv debug verbosity, Composer could print credentials embedded in repository or package URLs, such as GitHub Personal Access Tokens, to debug output. This issue was fixed in versions 2.2.29 and 2.10.2. The vulnerability affects developers using Composer for dependency management in PHP projects, who [truncated]