4.3
CVE-2026-27968
- EPSS 0.19%
- Veröffentlicht 26.02.2026 01:57:12
- Zuletzt bearbeitet 02.03.2026 18:04:44
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPackistry accepts expired access tokens
Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Packistryphp ≫ Packistry Version < 0.13.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.19% | 0.081 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
|
CWE-287 Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-613 Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
https://github.com/packistry/packistry/security/advisories/GHSA-4r9m-jp53-vgmw
https://github.com/packistry/packistry/pull/276
https://github.com/packistry/packistry/commit/7740b48f0f4ecbe63099fb056c8a146180f8b283