Critical Path Traversal Vulnerabilities in Fedora Composer 2026

Critical Path Traversal Vulnerabilities in Fedora Composer 2026

First seen 11 Jul 2026, 23:28 UTC Linuxsecurity 97% similarity 72.0

Article Content

Browse articles
ThreatCluster

Fedora has released security updates for Composer affecting versions 2.10.2 in both Fedora 43 and 44. The updates address critical path traversal vulnerabilities that could allow attackers to manipulate package names and bin paths. These vulnerabilities are identified by CVEs GHSA-499r-g7pc-vmp9 and GHSA-gjfg-22fp-rrxx. The updates also include various other security enhancements and bug fixes. Users are advised to upgrade their systems using the 'dnf' update program to mitigate potential risks. The vulnerabilities could impact any PHP project using Composer, emphasizing the need for immediate action by developers and system administrators. The updates were published on July 11, 2026, with the last version update occurring on July 1, 2026.

Key Points: • Critical path traversal vulnerabilities found in Composer for Fedora 43 and 44. • Users should upgrade to Composer version 2.10.2 to mitigate risks. • The vulnerabilities could allow unauthorized access to PHP project dependencies.

ThreatCluster AI

Timeline

2026-07-01
Composer version 2.10.2 released
Fedora updated Composer to version 2.10.2, addressing multiple security issues including path traversal vulnerabilities.
Linuxsecurity
2026-07-11
Security updates published for Fedora Composer
Fedora released security updates for Composer versions 2.10.2 in Fedora 43 and 44, addressing critical vulnerabilities.
Linuxsecurity

Community

Browse all →