SB2026070158 - Multiple vulnerabilities in composer



SB2026070158 - Multiple vulnerabilities in composer

Published: July 1, 2026

Security Bulletin ID SB2026070158
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 67% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Inclusion of Sensitive Information in Log Files (CVE-ID: N/A)

CWE-ID: CWE-532 - Information Exposure Through Log Files

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to insertion of sensitive information into log files in Composer debug output when handling repository or package URLs with credentials embedded in the username field. A local user can run Composer with debug verbosity and cause an embedded access token to be written to verbose logs to disclose sensitive information.

Exposure occurs only when a credential is embedded in a handled URL, placed in the username slot, and the debug output is retained or shared where others can read it.


2) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to path traversal in package name validation when processing package metadata from an untrusted third-party repository during install or update. A remote attacker can publish a malicious package with an invalid package name to write files outside the vendor directory and outside the project to execute arbitrary code.

User interaction is required to perform a normal install or update, and exploitation requires a malicious or compromised package to be present in the dependency graph from an untrusted third-party repository.


3) Path traversal (CVE-ID: N/A)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to path traversal in the bin field processing in Composer when installing a package with crafted bin entries containing .. path segments. A remote attacker can trick the victim into installing a malicious dependency to disclose sensitive information.

The issue changes file permissions of an existing target file to make it world-readable and world-executable, and user interaction is required to install, update, or require the dependency.


Remediation

Install update from vendor's website.