๐Ÿ” CVE Alert

CVE-2026-59947

MEDIUM 4.7

Composer: URL-embedded HTTP-Basic username leaks to verbose logs (GitHub PAT exposure)

CVSS Score
4.7
EPSS Score
0.1%
EPSS Percentile
1th

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug output because AuthHelper, Url::sanitize, and ProcessExecutor did not sanitize username-only URL credentials. This issue is fixed in versions 2.2.29 and 2.10.2.

CWE CWE-532
Vendor composer
Product composer
Published Jul 8, 2026
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for composer composer

Be the first to know when new medium vulnerabilities affecting composer composer are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

composer / composer
>= 1.0, < 2.2.29 >= 2.3.0, < 2.10.2

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/composer/composer/security/advisories/GHSA-g6xq-892h-64w3 github.com: https://github.com/composer/composer/commit/6bd66874ae523ecb69aca5964487a0cdfda03ef8 github.com: https://github.com/composer/composer/commit/8887ad76fbd830cb1861a2b1fd8ead78ed1fa1ec github.com: https://github.com/composer/composer/releases/tag/2.10.2 github.com: https://github.com/composer/composer/releases/tag/2.2.29