← Zuruck zu CVEs
CVE-2026-27968
MEDIUM4.3
Beschreibung
Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected.
CVE Details
CVSS v3.1 Bewertung4.3
SchweregradMEDIUM
CVSS VektorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
AngriffsvektorNETWORK
KomplexitatLOW
Erforderliche PrivilegienLOW
BenutzerinteraktionNONE
Veroffentlicht2/26/2026
Zuletzt geandert3/2/2026
Quellenvd
Honeypot-Sichtungen0
Betroffene Produkte
packistryphp:packistry
Schwachen (CWE)
CWE-287CWE-613CWE-613
Referenzen
https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283(security-advisories@github.com)
https://github.com/packistry/packistry/pull/276(security-advisories@github.com)
https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw(security-advisories@github.com)
IOC Korrelationen
Keine Korrelationen erfasst
This product uses data from the NVD API but is not endorsed or certified by the NVD.