securityonline.info 7/14/2026, 5:18:08 PM · external

Composer fixes CVE-2026-59948 flaw enabling arbitrary file writes

Composer fixes CVE-2026-59948 flaw enabling arbitrary file writes
CyberSIXT Evidence Panel
Primary Source github.com
CISA KEV Not in KEV
Patch Patch Status Unknown

THE report highlights a critical security alert regarding PHP Composer, the main dependency manager for PHP. Three vulnerabilities were identified, notably CVE-2026-59948, which allows arbitrary file writes outside the vendor directory with a CVSS score of 7.0. The issues stem from supply chain vulnerabilities and potential code execution risks due to untrusted package imports. The Composer team has released patches in versions 2.10.2 and 2.2.29 but confirmed no exploitation has occurred to date. Users are advised to update their versions to mitigate these risks and follow best practices to secure their environments.

View Primary Source Via securityonline.info

Article by CyberSIXT