A vulnerability, which was classified as critical, was found in Composer up to 2.2.28/2.10.1. Impacted is an unknown function of the component Dependency Resolution. Executing a manipulation of the argument package name can lead to path traversal.
This vulnerability appears as CVE-2026-59948. The attack may be performed from remote. There is no available exploit.