CVE-2026-59947

Source
https://cve.org/CVERecord?id=CVE-2026-59947
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59947.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59947
Aliases
Downstream
Related
Published
2026-07-08T19:33:56.009Z
Modified
2026-07-15T10:14:42.078274317Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Composer: URL-embedded HTTP-Basic username leaks to verbose logs (GitHub PAT exposure)
Details

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug output because AuthHelper, Url::sanitize, and ProcessExecutor did not sanitize username-only URL credentials. This issue is fixed in versions 2.2.29 and 2.10.2.

Database specific
{
    "cwe_ids": [
        "CWE-532"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59947.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/composer/composer

Affected ranges

Type
GIT
Repo
https://github.com/composer/composer
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "1.0"
        },
        {
            "fixed": "2.2.29"
        },
        {
            "introduced": "2.3.0"
        },
        {
            "fixed": "2.10.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

2.*
2.10.0
2.10.0-RC1
2.10.0-RC2
2.10.1
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.4.0
2.4.0-RC1
2.4.1
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.9.0
2.9.0-RC1
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59947.json"